Snort mailing list archives

Re: Interpretation of "offset" in context of "uricontent" keyword

From: Jason <security () brvenik com>
Date: Sat, 07 Jan 2006 17:41:40 -0500

Why not try it on a request and see

alert tcp any any -> any 80 (msg:"offset 0 and uricontent test";
uricontent:"/s/ap"; offset:0; sid:1000000; rev:1; )

alert tcp any any -> any 80 (msg:"offset 20 and uricontent test";
uricontent:"/ap_on_go_pr_wh"; offset:20; sid:1000001; rev:1; )

alert tcp any any -> any 80 (msg:"offset 10 and uricontent test";
uricontent:"/ap_on_go_pr_wh"; offset:10; sid:1000002; rev:1; )

alert tcp any any -> any 80 (msg:"offset 25 and uricontent test";
uricontent:"/eavesdropping_ap_poll"; offset:25; sid:1000003; rev:1; )

then get

http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll

WARNING: spoiler at the bottom of the mail.

Intru Defender wrote:

Hi All,
I am reposting this question in the hope of getting some replies:

======================================================================
I need a little clarification about interpretation of "offset" modifier
in conjuction with "uricontent" keyword.

Does Snort treats "offset" differently in case of "uricontent" keyword?

Does in case of "uricontent" keyword, snort treat "offset:0" from the
start of URI, and, not from the start of the payload?

The snort manual says that the "offset" tells how many bytes to skip
before starting looking for the specified "content" keyword and "offset"
is calculated from the start of payload. For example:

content: ".html"; offset:4; would mean start looking for ".html" after 4
bytes.

However, in case of "uricontent" keyword, will uricontent: ".html";
offset:0; depth:5; would mean start looking for start of URI and in next
5 characters? Or it will mean, start looking for ".html" in first 5
bytes of payload.

Any help will be highly appricated.

Thanks,

Intru Defender



<http://adworks.rediff.com/cgi-bin/AdWorks/sigclick.cgi/www.rediff.com/signature-home.htm/1507191490@Middle5?PARTNER=3>


Nice to include remote images as a sigline served from anything with
"adworks" in the name. Cross posted to two security related mailing
lists at that. Most people generally frown upon that kind of behavior.

$ sudo src/snort -c etc/snort.conf -l /tmp -A console -k none -i eth0

$ wget
http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll


01/07-17:35:55.123525  [**] [1:1000003:1] offset 25 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/07-17:35:55.123525  [**] [1:1000002:1] offset 10 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/07-17:35:55.123525  [**] [1:1000000:1] offset 0 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Interpretation of "offset" in context of "uricontent" keyword Intru Defender (Jan 07)
- Re: Interpretation of "offset" in context of "uricontent" keyword Jason (Jan 07)