Snort mailing list archives

Re: Hardcore -r question

From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 20:11:04 -0700

Marty:

That did it!

Thanks!

So [0:2] says start at byte 0 (the *first* byte), and examine two (whichwould be the width of the 16-bit source IP), and [2:2] says start atbyte 2 (which is the *third* byte in and which is where the 16-bit destport starts) and go for two...

[3] and [3:1] kinda worked I guess because they were *kinda* looking inthe right place, (start at the third byte in and go for one..) but theygot confused...


Martin Roesch wrote:

Try 'tcp[2:2] == 111', I bet that'll work.  BPF starts counting at zero
for headers, so tcp[0:2] covers the first 16-bits of the tcp header,
tcp[2:2] covers the second 16-bits (i.e. the destination port).

You could also just say 'dst port 111'.



Yeah.. but that takes all the fun out of it ;-)

Thnx,

- John

    -Marty

John Sage wrote:

I'm playing with using the -r switch and tcpdump syntax on a binary log
file, and I'm having one heckuva time understanding why this command line:

snort -dv -r snort-0609 () 0724 log 'tcp[3:1] == 111 '

returns what it does.

I expect it to return packets with destination port 111, which it does,
but WTF? it returns five other packets with a value of 62319 as the
destination port, too.

This says, I think, go into the tcp header 3 bytes (first byte's zero,)
and a one byte offset into that, and look at it -- and if it's "111"
then true and show me the packet.

It does exactly the same thing if I say:

snort -dv -r snort-0609 () 0724 log 'tcp[3] == 111 '

(Of course, if I just chill out and say "snort -dv -r
snort-0609 () 0724 log dst port 111" it works just fine...)

Anyway, what am I missing?

- John



<snipped to conserve bits in preparation for the upcoming bit shortage>


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Hardcore -r question John Sage (Jun 11)
- Re: Hardcore -r question Martin Roesch (Jun 11)
  - Re: Hardcore -r question John Sage (Jun 11)
- <Possible follow-ups>
- RE: Hardcore -r question Mark Evans (Jun 12)
  - Re: Hardcore -r question John Sage (Jun 12)