Snort mailing list archives
Re: Interpretation of "offset" in context of "uricontent" keyword
From: Jason <security () brvenik com>
Date: Sat, 07 Jan 2006 17:41:40 -0500
Why not try it on a request and see alert tcp any any -> any 80 (msg:"offset 0 and uricontent test"; uricontent:"/s/ap"; offset:0; sid:1000000; rev:1; ) alert tcp any any -> any 80 (msg:"offset 20 and uricontent test"; uricontent:"/ap_on_go_pr_wh"; offset:20; sid:1000001; rev:1; ) alert tcp any any -> any 80 (msg:"offset 10 and uricontent test"; uricontent:"/ap_on_go_pr_wh"; offset:10; sid:1000002; rev:1; ) alert tcp any any -> any 80 (msg:"offset 25 and uricontent test"; uricontent:"/eavesdropping_ap_poll"; offset:25; sid:1000003; rev:1; ) then get http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll WARNING: spoiler at the bottom of the mail. Intru Defender wrote:
Hi All, I am reposting this question in the hope of getting some replies: ====================================================================== I need a little clarification about interpretation of "offset" modifier in conjuction with "uricontent" keyword. Does Snort treats "offset" differently in case of "uricontent" keyword? Does in case of "uricontent" keyword, snort treat "offset:0" from the start of URI, and, not from the start of the payload? The snort manual says that the "offset" tells how many bytes to skip before starting looking for the specified "content" keyword and "offset" is calculated from the start of payload. For example: content: ".html"; offset:4; would mean start looking for ".html" after 4 bytes. However, in case of "uricontent" keyword, will uricontent: ".html"; offset:0; depth:5; would mean start looking for start of URI and in next 5 characters? Or it will mean, start looking for ".html" in first 5 bytes of payload. Any help will be highly appricated. Thanks, Intru Defender <http://adworks.rediff.com/cgi-bin/AdWorks/sigclick.cgi/www.rediff.com/signature-home.htm/1507191490@Middle5?PARTNER=3>
Nice to include remote images as a sigline served from anything with "adworks" in the name. Cross posted to two security related mailing lists at that. Most people generally frown upon that kind of behavior. $ sudo src/snort -c etc/snort.conf -l /tmp -A console -k none -i eth0 $ wget http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll 01/07-17:35:55.123525 [**] [1:1000003:1] offset 25 and uricontent test [**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80 01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800 len:0xD9 192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435 IpLen:20 DgmLen:203 DF ***AP*** Seq: 0xD335BFA1 Ack: 0x4E3DF63D Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1075102899 57715046 47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31 GET /s/ap/200601 30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77 07/ap_on_go_pr_w 68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F h/eavesdropping_ 61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30 ap_poll HTTP/1.0 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67 ..User-Agent: Wg 65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20 et/1.9.1..Host: 6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A news.yahoo.com.. 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E Accept: */*..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 0D 0A ive.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/07-17:35:55.123525 [**] [1:1000002:1] offset 10 and uricontent test [**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80 01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800 len:0xD9 192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435 IpLen:20 DgmLen:203 DF ***AP*** Seq: 0xD335BFA1 Ack: 0x4E3DF63D Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1075102899 57715046 47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31 GET /s/ap/200601 30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77 07/ap_on_go_pr_w 68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F h/eavesdropping_ 61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30 ap_poll HTTP/1.0 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67 ..User-Agent: Wg 65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20 et/1.9.1..Host: 6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A news.yahoo.com.. 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E Accept: */*..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 0D 0A ive.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/07-17:35:55.123525 [**] [1:1000000:1] offset 0 and uricontent test [**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80 01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800 len:0xD9 192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435 IpLen:20 DgmLen:203 DF ***AP*** Seq: 0xD335BFA1 Ack: 0x4E3DF63D Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1075102899 57715046 47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31 GET /s/ap/200601 30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77 07/ap_on_go_pr_w 68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F h/eavesdropping_ 61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30 ap_poll HTTP/1.0 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67 ..User-Agent: Wg 65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20 et/1.9.1..Host: 6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A news.yahoo.com.. 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E Accept: */*..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 0D 0A ive.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Interpretation of "offset" in context of "uricontent" keyword Intru Defender (Jan 07)
- Re: Interpretation of "offset" in context of "uricontent" keyword Jason (Jan 07)