Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule to capture only packets with certain content/bytes

From: Brian <bmc () snort org>
Date: Sun, 30 Nov 2003 17:53:03 -0500
I've added snort-sigs, since this discussion should there.  Ok, first
things first.  Don't use tcpdump for your packet display.  You are
seeing the Ethernet, IP and UDP headers.  (BTW... I'm guessing
217.82.XXX.XXX is you?)

Lets cut out everything that isn't the UDP datagram.

We get this:


                                   8B 0F 00 4D 4A 31 ....l..!.X...MJ1
0030 32 20 7C 7C 20 4D 61 73 74 65 72 00 00 00 96 18 2 || Master.....
0040 00 00 00                                        ...


and this:


                                   8B 1F 00 49 68 61 ..8Bl..1n....Iha
0030 76 65 61 6C 6F 6E 67 6E 61 6D 65 73 69 6E 63 65 vealongnamesince
0040 73 70 6F 6F 6B 73 74 61 68 74 6F 00 00 00 96 29 spookstahto....)
0050 00 00 00                                        ...


Now thats a ton less data to look at.  Lets try and figure out this
protocol.

1) the first byte is similar. (0x8B)
2) the second byte looks like the length of the message being sent.
   ("Ihavealongnamesincespookstahto" in the second example)
3) after the message, there is a similar string (0x00000096, not 
   0x00000090 like you mentioned) 
4) one byte after the previous string there is another similar string
   (0x000000)

So lets put the meat of the rule together based on what we figured out.

    content:"|8B|"; depth:1; byte_jump:1,1; content:"|00 00 00 96|";
    distace:0; within:4; content:"|00 00 00|"; distance:1; within:3;

Since you say this traffic is always on port 27888, we can include that
in the rule as well.  Our finished rule now looks like this:

    alert udp any any -> any 27888 (content:"|8B|"; depth:1; 
        byte_jump:1,1; content:"|00 00 00 96|"; distace:0; within:4; 
        content:"|00 00 00|"; distance:1; within:3;)

Of course, you need a sid, a classtype, and a messsage.  Oh, and
references to what this packet means would be useful too.  :P

-brian


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: