[Snort-users] byte_jump question

Mark Trolley mtrolley at ...14423...
Tue Sep 23 14:40:01 EDT 2008


I'm having trouble using byte_jump so am looking for some assistance. The packet in question has a 4 byte header, the last 2 bytes of which contain the length of the entire payload (including the header). The data I want to check is contained in the last 5 bytes of the payload. For example if the payload were:

00 00 00 34 ... 11 22 33 44 55

the length of the payload is 52 bytes, and bytes 48-52 contain the pattern I want to check for.

My first question is is this byte_jump correct to put the doe_ptr to the end of the payload:

byte_jump:2,2,from_beginning;

This isn't working for me though. When I have this as part of my rule it doesn't get triggered. Using the same example as above I get a hit if I use this as my rule:

alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; sid:1000000; rev:1;)  # works

but I don't get a hit if I add the byte_jump:

alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; byte_jump:2,2,from_beginning; sid:1000000; rev:1;)  # does not work

What am I missing?

Thanks,
Mark




More information about the Snort-users mailing list