[Snort-users] offset help.

larosa, vjay larosa_vjay at ...3331...
Thu Jun 19 08:21:51 EDT 2003


I was under the impression that you can have two offset's 
that apply to the previous content matches. Is it illegal to
specify more than one offset keyword in a snort rule?

vjl

-----Original Message-----
From: Ciprian Badescu [mailto:ciprian.badescu at ...9292...] 
Sent: Thursday, June 19, 2003 9:39 AM
To: larosa, vjay
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] offset help.

Hi,

You have two offset definitions in your rule.
Check also:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.10

The number represents number of bytes (you can see a byte as two hex
numbers).

--
______V______   Ciprian Badescu
A L C A T E L   Mobile Networks Division R&D Center
Phone: +40 56 303100 (ext. 5786)
Fax: +40 56 295386
Email: Ciprian.Badescu at ...9292...

On Thu, 19 Jun 2003, larosa, vjay wrote:

> Date: Thu, 19 Jun 2003 08:34:09 -0400
> From: "larosa, vjay" <larosa_vjay at ...3331...>
> To: "'snort-users at lists.sourceforge.net'"
>     <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] offset help.
>
> Hello Everybody,
>
> I posted this message yesterday and did some more fooling around with the
> offset keyword but still no luck. Does anybody know if the offset and
depth
> keywords are specified in hex or decimal?
>
> Thanks!
>
> vjl
>
> -----Original Message-----
> From: larosa, vjay [mailto:larosa_vjay at ...3331...]
> Sent: Wednesday, June 18, 2003 4:28 PM
> To: 'snort-users at lists.sourceforge.net'
> Subject: [Snort-users] offset help.
>
> Hello,
>
> I have been killing myself all afternoon trying to get a rule to work
using
> the offset and depth keywords.
> If I am trying to match the pattern 07 00 00 00 in this is the packet with
> the following rule. Can anybody tell me what I am doing wrong with the
depth
> and offset keywords?
>
> Thanks!
>
> vjl
>
> alert tcp any any -> any 139 (msg:"File Write to Win 2K Startup folder.";
> flow:to_server,established
> ; content:"|ff 53 4d 42 a2|"; depth:48; content:"|5c
> 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|s|00
> | |00|a|00|n|00|d|00| |00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00 5c 00|";
> content:"|5c 00|S|00|t|00
> |a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5c
> 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5c 00|S|00|t|
> 00|a|00|r|00|t|00|u|00|p|00 5c 00|"; content:"|3a 00 24
> 00|D|00|A|00|T|00|A|00|"; content:"|07 00 00
>  00|"; offset:121; depth: 8; classtype:misc-activity; rev:1;)
>
> 06/18-14:36:46.956661 128.221.20.13:1499 -> 128.221.20.34:139
> TCP TTL:128 TOS:0x0 ID:33861 IpLen:20 DgmLen:354 DF
> ***AP*** Seq: 0x8A6230AB  Ack: 0xADE3E800  Win: 0xFDFF  TcpLen: 20
> 0x0000: 00 06 5B 04 18 A6 00 0B DB 19 79 AD 08 00 45 00  ..[.......y...E.
> 0x0010: 01 62 84 45 40 00 80 06 4B 67 80 DD 14 0D 80 DD  .b.E at ...9504...
> 0x0020: 14 22 05 DB 00 8B 8A 62 30 AB AD E3 E8 00 50 18  .".....b0.....P.
> 0x0030: FD FF 84 12 00 00 00 00 01 36 FF 53 4D 42 A2 00  .........6.SMB..
> 0x0040: 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00  ................
> 0x0050: 00 00 02 70 AC 0A 03 D0 43 5C 18 FF 00 DE DE 00  ...p....C\......
> 0x0060: E0 00 16 00 00 00 00 00 00 00 89 00 02 00 00 00  ................
> 0x0070: 00 00 00 00 00 00 80 00 00 00 07 00 00 00 01 00  ................
> 0x0080: 00 00 00 00 00 00 02 00 00 00 00 E3 00 00 5C 00  ..............\.
> 0x0090: 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00  D.o.c.u.m.e.n.t.
> 0x00A0: 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00  s. .a.n.d. .S.e.
> 0x00B0: 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00  t.t.i.n.g.s.\.A.
> 0x00C0: 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00  d.m.i.n.i.s.t.r.
> 0x00D0: 61 00 74 00 6F 00 72 00 5C 00 53 00 74 00 61 00  a.t.o.r.\.S.t.a.
> 0x00E0: 72 00 74 00 20 00 4D 00 65 00 6E 00 75 00 5C 00  r.t. .M.e.n.u.\.
> 0x00F0: 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 73 00  P.r.o.g.r.a.m.s.
> 0x0100: 5C 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00  \.S.t.a.r.t.u.p.
> 0x0110: 5C 00 45 00 46 00 4C 00 48 00 33 00 30 00 31 00  \.E.F.L.H.3.0.1.
> 0x0120: 31 00 2E 00 50 00 50 00 44 00 3A 00 05 00 52 00  1...P.P.D.:...R.
> 0x0130: 61 00 65 00 63 00 32 00 35 00 70 00 68 00 34 00  a.e.c.2.5.p.h.4.
> 0x0140: 73 00 75 00 64 00 62 00 66 00 30 00 68 00 41 00  s.u.d.b.f.0.h.A.
> 0x0150: 61 00 71 00 35 00 65 00 68 00 77 00 33 00 4E 00  a.q.5.e.h.w.3.N.
> 0x0160: 66 00 3A 00 24 00 44 00 41 00 54 00 41 00 00 00  f.:.$.D.A.T.A...
>
> V.Jay LaRosa                   EMC Corporation
> Information Security          4400 Computer Dr.
> (508)898-7433 Office       Westboro, MA 01580
> (508)353-1348 Cell           www.emc.com <http://www.emc.com>
> 888-799-9750 Pager         vjl at ...3331...
>
>




More information about the Snort-users mailing list