[Snort-users] align option of byte_jump

Brian bmc at ...950...
Thu Sep 4 14:10:19 EDT 2003


On Thu, Sep 04, 2003 at 11:19:59AM -0700, Martin Hofmeister wrote:
> alert udp any any -> any 32770:34000 (content: "| 00 01 86 B8 |"; \
>                     content: "| 00 00 00 01|"; distance: 4; within: 4; \
>                     byte_jump: 4, 12, relative, align; \
>                     byte_test: 4, >, 900, 20, relative; \
>                     msg: "statd format string buffer overflow";)
> 
> The byte_jump has specified 4 bytes to convert, so why would we need the 
> "align" option in this example since we are already converting 32 bits 
> (4 bytes)?

align tells byte_jump to jump to the end of the 32 bit boundry.

Example:
If the number you end up with is 9 bytes, when byte_jump jumps, it will jump
12 bytes.  (9, then end on the 32 bit boundry)

This is super useful in dealing with RPC traffic, since everything is
aligned on the 32 bit boundry.

-brian




More information about the Snort-users mailing list