[Snort-users] Rule to capture only packets with certain content/bytes

Brian bmc at ...950...
Sun Nov 30 14:54:09 EST 2003


I've added snort-sigs, since this discussion should there.  Ok, first
things first.  Don't use tcpdump for your packet display.  You are
seeing the Ethernet, IP and UDP headers.  (BTW... I'm guessing
217.82.XXX.XXX is you?)

Lets cut out everything that isn't the UDP datagram.

We get this:

>                                    8B 0F 00 4D 4A 31 ....l..!.X...MJ1
> 0030 32 20 7C 7C 20 4D 61 73 74 65 72 00 00 00 96 18 2 || Master.....
> 0040 00 00 00                                        ...

and this:

>                                    8B 1F 00 49 68 61 ..8Bl..1n....Iha
> 0030 76 65 61 6C 6F 6E 67 6E 61 6D 65 73 69 6E 63 65 vealongnamesince
> 0040 73 70 6F 6F 6B 73 74 61 68 74 6F 00 00 00 96 29 spookstahto....)
> 0050 00 00 00                                        ...

Now thats a ton less data to look at.  Lets try and figure out this
protocol.

1) the first byte is similar. (0x8B)
2) the second byte looks like the length of the message being sent.
   ("Ihavealongnamesincespookstahto" in the second example)
3) after the message, there is a similar string (0x00000096, not 
   0x00000090 like you mentioned) 
4) one byte after the previous string there is another similar string
   (0x000000)

So lets put the meat of the rule together based on what we figured out.

    content:"|8B|"; depth:1; byte_jump:1,1; content:"|00 00 00 96|";
    distace:0; within:4; content:"|00 00 00|"; distance:1; within:3;

Since you say this traffic is always on port 27888, we can include that
in the rule as well.  Our finished rule now looks like this:

    alert udp any any -> any 27888 (content:"|8B|"; depth:1; 
        byte_jump:1,1; content:"|00 00 00 96|"; distace:0; within:4; 
        content:"|00 00 00|"; distance:1; within:3;)

Of course, you need a sid, a classtype, and a messsage.  Oh, and
references to what this packet means would be useful too.  :P

-brian




More information about the Snort-users mailing list