Snort mailing list archives
offset help.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 18 Jun 2003 16:27:59 -0400
Hello, I have been killing myself all afternoon trying to get a rule to work using the offset and depth keywords. If I am trying to match the pattern 07 00 00 00 in this is the packet with the following rule. Can anybody tell me what I am doing wrong with the depth and offset keywords? Thanks! vjl alert tcp any any -> any 139 (msg:"File Write to Win 2K Startup folder."; flow:to_server,established ; content:"|ff 53 4d 42 a2|"; depth:48; content:"|5c 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|s|00 | |00|a|00|n|00|d|00| |00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00 5c 00|"; content:"|5c 00|S|00|t|00 |a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5c 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5c 00|S|00|t| 00|a|00|r|00|t|00|u|00|p|00 5c 00|"; content:"|3a 00 24 00|D|00|A|00|T|00|A|00|"; content:"|07 00 00 00|"; offset:121; depth: 8; classtype:misc-activity; rev:1;) 06/18-14:36:46.956661 128.221.20.13:1499 -> 128.221.20.34:139 TCP TTL:128 TOS:0x0 ID:33861 IpLen:20 DgmLen:354 DF ***AP*** Seq: 0x8A6230AB Ack: 0xADE3E800 Win: 0xFDFF TcpLen: 20 0x0000: 00 06 5B 04 18 A6 00 0B DB 19 79 AD 08 00 45 00 ..[.......y...E. 0x0010: 01 62 84 45 40 00 80 06 4B 67 80 DD 14 0D 80 DD .b.E () Kg...... 0x0020: 14 22 05 DB 00 8B 8A 62 30 AB AD E3 E8 00 50 18 .".....b0.....P. 0x0030: FD FF 84 12 00 00 00 00 01 36 FF 53 4D 42 A2 00 .........6.SMB.. 0x0040: 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 ................ 0x0050: 00 00 02 70 AC 0A 03 D0 43 5C 18 FF 00 DE DE 00 ...p....C\...... 0x0060: E0 00 16 00 00 00 00 00 00 00 89 00 02 00 00 00 ................ 0x0070: 00 00 00 00 00 00 80 00 00 00 07 00 00 00 01 00 ................ 0x0080: 00 00 00 00 00 00 02 00 00 00 00 E3 00 00 5C 00 ..............\. 0x0090: 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 D.o.c.u.m.e.n.t. 0x00A0: 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 s. .a.n.d. .S.e. 0x00B0: 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 t.t.i.n.g.s.\.A. 0x00C0: 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 d.m.i.n.i.s.t.r. 0x00D0: 61 00 74 00 6F 00 72 00 5C 00 53 00 74 00 61 00 a.t.o.r.\.S.t.a. 0x00E0: 72 00 74 00 20 00 4D 00 65 00 6E 00 75 00 5C 00 r.t. .M.e.n.u.\. 0x00F0: 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 73 00 P.r.o.g.r.a.m.s. 0x0100: 5C 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 \.S.t.a.r.t.u.p. 0x0110: 5C 00 45 00 46 00 4C 00 48 00 33 00 30 00 31 00 \.E.F.L.H.3.0.1. 0x0120: 31 00 2E 00 50 00 50 00 44 00 3A 00 05 00 52 00 1...P.P.D.:...R. 0x0130: 61 00 65 00 63 00 32 00 35 00 70 00 68 00 34 00 a.e.c.2.5.p.h.4. 0x0140: 73 00 75 00 64 00 62 00 66 00 30 00 68 00 41 00 s.u.d.b.f.0.h.A. 0x0150: 61 00 71 00 35 00 65 00 68 00 77 00 33 00 4E 00 a.q.5.e.h.w.3.N. 0x0160: 66 00 3A 00 24 00 44 00 41 00 54 00 41 00 00 00 f.:.$.D.A.T.A... V.Jay LaRosa EMC Corporation Information Security 4400 Computer Dr. (508)898-7433 Office Westboro, MA 01580 (508)353-1348 Cell www.emc.com <http://www.emc.com> 888-799-9750 Pager vjl () emc com
Current thread:
- offset help. larosa, vjay (Jun 18)
- <Possible follow-ups>
- RE: offset help. larosa, vjay (Jun 19)
- RE: offset help. Ciprian Badescu (Jun 19)
- RE: offset help. larosa, vjay (Jun 19)