[Snort-users] Rule to capture only packets with certain content/bytes

Admin admin at ...10654...
Sun Nov 30 10:10:02 EST 2003


Hello snort-users,

Its probebly very easy but i cant get it to work.
I want to capture nicknames from an UDP packet which has
a maximum size of 83 bytes and with only a few bytes that
are unique.

These are 2 example packets

0000 00 90 27 A7 69 5D 00 08 E2 C6 38 00 08 00 45 20 ..'.i]....8...E
0010 00 35 C8 95 00 00 75 11 A7 CB D9 52 29 76 D9 78 .5....u....R)v.x
0020 F8 F5 0C C3 6C F0 00 21 2E 58 8B 0F 00 4D 4A 31 ....l..!.X...MJ1
0030 32 20 7C 7C 20 4D 61 73 74 65 72 00 00 00 96 18 2 || Master.....
0040 00 00 00                                        ...

0000 00 90 27 A7 69 5D 00 08 E2 C6 38 00 08 00 45 00 ..'.i]....8...E
0010 00 45 AC C2 00 00 6F 11 1A 0B 51 E3 60 89 D9 78  .E....o...Q.`..x
0020 F8 F5 38 42 6C F0 00 31 6E FE 8B 1F 00 49 68 61 ..8Bl..1n....Iha
0030 76 65 61 6C 6F 6E 67 6E 61 6D 65 73 69 6E 63 65 vealongnamesince
0040 73 70 6F 6F 6B 73 74 61 68 74 6F 00 00 00 96 29 spookstahto....)
0050 00 00 00                                        ...

The only byte(s) which returns in all packets is 8B and 00 00 00 90,
but 8B returns in a lot of other packets so not really usefull, also
the last 00 00 00 always returns but the byte before it changes with
every packet.


This is how i startup Win Snort:
snort -de -l c:/snort/log -c C:\Snort\etc\test.conf

And i`ve started with this rule in the test.conf
log udp any any -> 217.120.248.245 27888

This did capture all the files on port 27888 as i whas suppose to do,
after this i added (content: "|83|";) this also did work but it still
did capture to many files.
So i did change it to (content: "|00 00 00 90|";) and with this
setting it doesnt capture anything anymore.

What am i doing wrong ???

What do i need to do to only get packets which contain 00 00 00 90,
or if anyone has a better ideas/rules please hook me up with it.


-- 
Best regards,
  GJ de Boer





More information about the Snort-users mailing list