[Snort-users] byte_jump question

Mark Trolley mtrolley at ...14423...
Tue Sep 23 15:56:02 EDT 2008


No, I don't want to do that. I just don't know any better way to get to the end of the packet and check the last 5 bytes. All I know is the length of the payload because it's in the header, and it's variable. Is there a simpler way to check for a pattern at the end of the packet?

Thanks,
Mark

________________________________

From: Alex Kirk [mailto:akirk at ...1935...]
Sent: Tuesday, September 23, 2008 3:49 PM
To: Mark Trolley
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] byte_jump question


First things first, this byte_jump, if successful, would put you just *past* the end of the content you want to examine. You sure you want do to that, and that there's no better way to examine things? Looking backwards in packets can be dicey business, very prone to errors.

That said, the problem is that your jump is taking you to the very end of the packet, and Snort won't allow that - since there's no further data beyond where its internal pointer ends up, it figures it's not safe to continue, and it fails out. Check the two attached PCAPs with the following rule to see what I mean:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5190 (msg:"Test byte_jump"; content:"|2A|"; depth:1; byte_jump:1,2,from_beginning; sid:99990;)

test-byte-jump.pcap succeeds on packet #9, because it goes 9 bytes from the start of the packet, and has 1 remaining byte beyond that. test-byte-jump2.pcap fails on that same packet, because it tries to go 10 bytes from the start, and has nothing left beyond it.

Alex Kirk
Research Analyst
Sourcefire, Inc.


On Tue, Sep 23, 2008 at 2:40 PM, Mark Trolley <mtrolley at ...14423...> wrote:


        I'm having trouble using byte_jump so am looking for some assistance. The packet in question has a 4 byte header, the last 2 bytes of which contain the length of the entire payload (including the header). The data I want to check is contained in the last 5 bytes of the payload. For example if the payload were:

        00 00 00 34 ... 11 22 33 44 55

        the length of the payload is 52 bytes, and bytes 48-52 contain the pattern I want to check for.

        My first question is is this byte_jump correct to put the doe_ptr to the end of the payload:

        byte_jump:2,2,from_beginning;

        This isn't working for me though. When I have this as part of my rule it doesn't get triggered. Using the same example as above I get a hit if I use this as my rule:

        alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; sid:1000000; rev:1;)  # works

        but I don't get a hit if I add the byte_jump:

        alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; byte_jump:2,2,from_beginning; sid:1000000; rev:1;)  # does not work

        What am I missing?

        Thanks,
        Mark

        -------------------------------------------------------------------------
        This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
        Build the coolest Linux based applications with Moblin SDK & win great prizes
        Grand prize is a trip for two to an Open Source event anywhere in the world
        http://moblin-contest.org/redirect.php?banner_id=100&url=/
        _______________________________________________
        Snort-users mailing list
        Snort-users at lists.sourceforge.net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>  list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list