[Snort-users] byte_jump question

Mark Trolley mtrolley at ...14423...
Tue Sep 23 17:07:05 EDT 2008


Thanks for the help, but I decided to just go with pcre. It does the job for what I need.

Cheers,
Mark

________________________________

From: Shirk Dog [mailto:shirkdog_list at ...125...]
Sent: Tuesday, September 23, 2008 4:56 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] byte_jump question


There is not a simple way, but there is a way to do this.

---> Points to shared object rule :)


Shirkdog
' or 1=1--
http://www.shirkdog.us


________________________________

> From: mtrolley at ...14423...
> To: snort-users at lists.sourceforge.net
> Date: Tue, 23 Sep 2008 15:56:02 -0400
> Subject: Re: [Snort-users] byte_jump question
>
> No, I don't want to do that. I just don't know any better way to get to the end of the packet and check the last 5 bytes. All I know is the length of the payload because it's in the header, and it's variable. Is there a simpler way to check for a pattern at the end of the packet?
>
> Thanks,
> Mark
>
> ________________________________
>
> From: Alex Kirk [mailto:akirk at ...1935...]
> Sent: Tuesday, September 23, 2008 3:49 PM
> To: Mark Trolley
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] byte_jump question
>
>
> First things first, this byte_jump, if successful, would put you just *past* the end of the content you want to examine. You sure you want do to that, and that there's no better way to examine things? Looking backwards in packets can be dicey business, very prone to errors.
>
> That said, the problem is that your jump is taking you to the very end of the packet, and Snort won't allow that - since there's no further data beyond where its internal pointer ends up, it figures it's not safe to continue, and it fails out. Check the two attached PCAPs with the following rule to see what I mean:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 5190 (msg:"Test byte_jump"; content:"|2A|"; depth:1; byte_jump:1,2,from_beginning; sid:99990;)
>
> test-byte-jump.pcap succeeds on packet #9, because it goes 9 bytes from the start of the packet, and has 1 remaining byte beyond that. test-byte-jump2.pcap fails on that same packet, because it tries to go 10 bytes from the start, and has nothing left beyond it.
>
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
>
>
> On Tue, Sep 23, 2008 at 2:40 PM, Mark Trolley <mtrolley at ...14423...> wrote:
>
>
> I'm having trouble using byte_jump so am looking for some assistance. The packet in question has a 4 byte header, the last 2 bytes of which contain the length of the entire payload (including the header). The data I want to check is contained in the last 5 bytes of the payload. For example if the payload were:
>
> 00 00 00 34 ... 11 22 33 44 55
>
> the length of the payload is 52 bytes, and bytes 48-52 contain the pattern I want to check for.
>
> My first question is is this byte_jump correct to put the doe_ptr to the end of the payload:
>
> byte_jump:2,2,from_beginning;
>
> This isn't working for me though. When I have this as part of my rule it doesn't get triggered. Using the same example as above I get a hit if I use this as my rule:
>
> alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; sid:1000000; rev:1;) # works
>
> but I don't get a hit if I add the byte_jump:
>
> alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; byte_jump:2,2,from_beginning; sid:1000000; rev:1;) # does not work
>
> What am I missing?
>
> Thanks,
> Mark
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


________________________________

Stay up to date on your PC, the Web, and your mobile phone with Windows Live. See Now <http://clk.atdmt.com/MRT/go/msnnkwxp1020093185mrt/direct/01/>




More information about the Snort-users mailing list