[Snort-sigs] Issue with byte_test and bitmask

Damian Torres datorr2 at gmail.com
Fri Sep 29 15:19:56 EDT 2017


Al,


I did read that part of the manual mentioning the right-shift, but I guess
I really wasn't understanding it.  Your explanation made a lot of sense and
really made it everything click.  I tested this out not only on the
signature mentioned previously, but also on additional signatures and
everything's working like a charm.

Thanks a ton!


Warm Regards,

Damian Torres


On Thu, Sep 28, 2017 at 8:09 AM, Al Lewis (allewi) <allewi at cisco.com> wrote:

> Hello,
>
> I think you are missing the last part. From the manual for bitmask:
>
> "Applies the AND operator on the bytes converted. The result will be
> right-shifted by the number of bits equal to the number of trailing zeros
> in the mask.”
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#
> SECTION004531000000000000000
>
>
> So in your case the result will be shifted right 3 zeros resulting in the
> number 7 which is what you should be matching on.
>
> Attached is a test.
>
> In packets 1 and 3 the values are 0x38 and 0x3a. Doing the AND results in
> a match for both.
>
> In packets 2 and 4 the values are 0x49 and 0x37. Doing the AND results in
> a non match for both.
>
>
> [alewis at cliffjumper snort-2.9.9.0-released]$ ./bin/snort -c
> etc/torres.conf -r /tmp/TRASH.pcap -Aconsole:test -q -k none
> 1 1 1 0
> 3 1 1 0
> [alewis at cliffjumper snort-2.9.9.0-released]$ cat etc/torres.conf | grep
> alert
> alert udp any any -> any 53 (msg:"TEST for 0x38";
> byte_test:1,=,0x07,0,bitmask 0xF8; sid:1; )
>
>
> Try this out and let us know how it goes.
>
> Thanks!
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at cisco.com
>
> From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Damian
> Torres via Snort-sigs <snort-sigs at lists.snort.org>
> Reply-To: Damian Torres <datorr2 at gmail.com>
> Date: Wednesday, September 27, 2017 at 6:04 PM
> To: Snort-Sigs <snort-sigs at lists.snort.org>
> Subject: [Snort-sigs] Issue with byte_test and bitmask
>
> Greetings.
>
>
> I've been working on some rules that involve byte_test and although I've
> been able to flesh some of them out, I'm banging my head against the wall
> with one in particular.  Here is what I'm currently working on:
>
> alert udp any any -> any 53 (msg:"OpenVPN_P_CONTROL_HARD_RESET_CLIENT_V2";
> byte_test:1,=,0x38,0,bitmask 0xF8; classtype:not-suspicious; sid:1; rev:1;)
>
> The byte that I am trying to test against is the very first byte in the
> beginning of the payload (right after the UDP header), byte 0.  Much like
> DNS, this byte contains multiple values.  In this case, this contains two
> values for the protocol.  The first five bits corresponds to an opcode, and
> the last three bits corresponds to a key value.  So with 0x38, we have:
>
> 0011 1000
>
> The first five bits have to be:
>
> 0011 1XXX - opcode of 7
>
> I am trying to write the signature to fire regardless of what the last 3
> bits are (any key) as long as the opcode is 7.  To do this, I tried:
>
> byte_test:1,=,0x38,0;  -- This works if the opcode is 7 and the key is 0.
> byte_test:1,=,0x38,0,bitmask 0xF8 -- This doesn't work at all.
> byte_test:1,!&,0xc7,0; -- This fires on multiple opcodes.
>
> My understand is that with the "bitmask 0xF8" option, it should do a
> bitwise AND operation using 0xF8 before evaluating the equality portion of
> the byte_test, which should drop off the last 3 bits and keep the first 5
> bits exactly and then making sure they equal 0x38, but for some reason, it
> doesn't work
>
>
> I am testing this using Snort v2.9.9.0 GRE (Build 56) compiled from source.
>
> Any assistance would be greatly appreciated.
>
>
> Warm Regards,
>
> Damian Torres
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170929/2bb459c3/attachment.html>


More information about the Snort-sigs mailing list