[Snort-users] Help with signature - offset

waldo kitty wkitty42 at ...14940...
Mon Jul 22 22:24:33 EDT 2013


On 7/22/2013 19:22, miha rass wrote:
> Hello,
>
> I am trying to id why my test snort sig wont fire from the offset.  I have a
> generic sig that I have tested from flow, depth, content etc.  It all works but
> the offset.
>
> I am testing the sig against some old gh0st rat traffic.  below is the sig.  I
> thought the tcp payload would start at offset 54.  The content in the hex is in
> bold.

the key to the offset is the last content match IIRC... i'm not sure, at the 
moment, where the "last content match" pointer is set in a rule like yours... 
what version of snort are you running? there have been a lot of changes over 
time in this and similar areas...

>   Alert tcp any any -> any 21 (msg:"testing for gh0st"; content:"v2010";
> offset:58; nocase; sid:100000939;)
>
>
> 0000  00 50 56 e3 19 d5 00 50  56 3c f6 41 08 00 45 00   .PV....P V<.A..E.
> 0010  01 31 02 74 40 00 80 06  bc ce c0 a8 6a 8d 79 3f   .1.t at ...979... ....j.y?
> 0020  96 0f 04 34 00 15 04 4a  7e 7d 59 4f 74 3a 50 18   ...4...J ~}YOt:P.
> 0030  fa f0 5d c1 00 00 76 32  30 31 30 09 01 00 00 fc   ..]...*v2 010*.....
> 0040  00 00 00 66 00 00 00 9c  00 00 00 05 00 00 00 01   ...f.... ........
> 0050  00 00 00 28 0a 00 00 02  00 00 00 53 65 72 76 69   ...(.... ...Servi
> 0060  63 65 20 50 61 63 6b 20  32 00 00 3f 9b 91 7c d8   ce Pack  2..?..|.
> 0070  c0 97 7c eb 9a 91 7c 30  f4 40 00 90 fe ab 00 ff   ..|...|0 . at ...16446...
> 0080  ff 00 00 00 c0 fd 7f a8  34 24 00 ff ff ff ff 12   ........ 4$......



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list