[Snort-users] offset help.

larosa, vjay larosa_vjay at ...3331...
Thu Jun 19 05:36:22 EDT 2003


Hello Everybody,
 
I posted this message yesterday and did some more fooling around with the
offset keyword but still no luck. Does anybody know if the offset and depth
keywords are specified in hex or decimal?
 
Thanks!
 
vjl
 
-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay at ...3331...] 
Sent: Wednesday, June 18, 2003 4:28 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] offset help.
 
Hello,
 
I have been killing myself all afternoon trying to get a rule to work using
the offset and depth keywords.
If I am trying to match the pattern 07 00 00 00 in this is the packet with
the following rule. Can anybody tell me what I am doing wrong with the depth
and offset keywords? 
 
Thanks!
 
vjl
 
alert tcp any any -> any 139 (msg:"File Write to Win 2K Startup folder.";
flow:to_server,established
; content:"|ff 53 4d 42 a2|"; depth:48; content:"|5c
00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|s|00
| |00|a|00|n|00|d|00| |00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00 5c 00|";
content:"|5c 00|S|00|t|00
|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5c
00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5c 00|S|00|t|
00|a|00|r|00|t|00|u|00|p|00 5c 00|"; content:"|3a 00 24
00|D|00|A|00|T|00|A|00|"; content:"|07 00 00
 00|"; offset:121; depth: 8; classtype:misc-activity; rev:1;)
 
06/18-14:36:46.956661 128.221.20.13:1499 -> 128.221.20.34:139
TCP TTL:128 TOS:0x0 ID:33861 IpLen:20 DgmLen:354 DF
***AP*** Seq: 0x8A6230AB  Ack: 0xADE3E800  Win: 0xFDFF  TcpLen: 20
0x0000: 00 06 5B 04 18 A6 00 0B DB 19 79 AD 08 00 45 00  ..[.......y...E.
0x0010: 01 62 84 45 40 00 80 06 4B 67 80 DD 14 0D 80 DD  .b.E at ...9504...
0x0020: 14 22 05 DB 00 8B 8A 62 30 AB AD E3 E8 00 50 18  .".....b0.....P.
0x0030: FD FF 84 12 00 00 00 00 01 36 FF 53 4D 42 A2 00  .........6.SMB..
0x0040: 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 02 70 AC 0A 03 D0 43 5C 18 FF 00 DE DE 00  ...p....C\......
0x0060: E0 00 16 00 00 00 00 00 00 00 89 00 02 00 00 00  ................
0x0070: 00 00 00 00 00 00 80 00 00 00 07 00 00 00 01 00  ................
0x0080: 00 00 00 00 00 00 02 00 00 00 00 E3 00 00 5C 00  ..............\.
0x0090: 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00  D.o.c.u.m.e.n.t.
0x00A0: 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00  s. .a.n.d. .S.e.
0x00B0: 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00  t.t.i.n.g.s.\.A.
0x00C0: 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00  d.m.i.n.i.s.t.r.
0x00D0: 61 00 74 00 6F 00 72 00 5C 00 53 00 74 00 61 00  a.t.o.r.\.S.t.a.
0x00E0: 72 00 74 00 20 00 4D 00 65 00 6E 00 75 00 5C 00  r.t. .M.e.n.u.\.
0x00F0: 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 73 00  P.r.o.g.r.a.m.s.
0x0100: 5C 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00  \.S.t.a.r.t.u.p.
0x0110: 5C 00 45 00 46 00 4C 00 48 00 33 00 30 00 31 00  \.E.F.L.H.3.0.1.
0x0120: 31 00 2E 00 50 00 50 00 44 00 3A 00 05 00 52 00  1...P.P.D.:...R.
0x0130: 61 00 65 00 63 00 32 00 35 00 70 00 68 00 34 00  a.e.c.2.5.p.h.4.
0x0140: 73 00 75 00 64 00 62 00 66 00 30 00 68 00 41 00  s.u.d.b.f.0.h.A.
0x0150: 61 00 71 00 35 00 65 00 68 00 77 00 33 00 4E 00  a.q.5.e.h.w.3.N.
0x0160: 66 00 3A 00 24 00 44 00 41 00 54 00 41 00 00 00  f.:.$.D.A.T.A...
 
V.Jay LaRosa                   EMC Corporation
Information Security          4400 Computer Dr.
(508)898-7433 Office       Westboro, MA 01580
(508)353-1348 Cell           www.emc.com <http://www.emc.com> 
888-799-9750 Pager         vjl at ...3331...
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030619/001c16fd/attachment.html>


More information about the Snort-users mailing list