Snort mailing list archives
Re: No need for content modifier 'within'
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Thu, 10 Jun 2010 10:32:25 -0500
I understand what you are saying but I'm not sure it is congruent with current reality. Try this -- run these two rules: alert tcp any any -> any any (msg:"DEPTH TEST!"; flow:established,to_server; content:"hello"; nocase; content:"world"; distance:4; depth:5; classtype:trojan-activity; sid:20104568; rev:1;) alert tcp any any -> any any (msg:"WITHIN TEST!"; flow:established,to_server; content:"hello"; nocase; content:"world"; distance:4; within:5; classtype:trojan-activity; sid:20104569; rev:1;) And then browse to http://www.google.com/hello1234world Do they both alert? If so, that would seem to indicate that depth is relative, no? I'd also encourage you to test http://www.google.com/hello123world and http://www.google.com/hello12345world and verify that those don't cause alerts. Cheers, -L0rd Ch0de1m0rt On 6/10/10, Joel Esler <jesler () sourcefire com> wrote:
I apologize I mean depth instead of distance. My fingers typed the wrong word. You can do a distance:0, but within allows you to tell the search where to stop. Distance is relative to the last match, within is relative to this match. Depth tells Snort how far to read into a packet to search for a pattern Offset tells Snort how far to read into a packet to START searching for a pattern Distance tells Snort how far into a packet Snort should skip relative to the end of the previous content match Within makes sure that there is "x" amount of bytes between pattern matches. You can't use a depth with a distance, as depth references the offset, not the relative distance from last match (that's what distance is for) There are reasons for all four, we've had this debate for years. Plus with distance, you can do negative relativity, you can't do that with offset. Just FYI. 11:04 AM, on Jun 10, 2010, wrote:What? Are you confusing distance and offset? According to your blog post according to the Snort manual, "The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match." Distance is relative and I'm saying we don't really need the 'within' keyword since we can just do distance:0; and then use depth since depth is relative as well. Hope this helps. -L0rd Ch0de1m0rt On 6/10/10, Joel Esler <jesler () sourcefire com> wrote:Distance tells Snort how far to read into a packet to search for a pattern Within makes sure that at most "x" amount of bytes are between pattern matches. Within is relative, distance is not. 10:39 AM, on Jun 10, 2010, wrote:Hello. Not trying to beat a dead horse here but I was reading http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html and came to a part where it said, "Offset goes with Depth, distance goes with within. Don’t mix them." I'm not sure I agree with this and I'm not much of an Blogger/Internet Exhibitionist so I'm posting this here. We all know, offset tells Snort how far into the payload (starting from the beginning of the payload) to start looking for a content match. Distance tells Snort how far into the payload (starting from the previous content match) to start looking for a content match. Depth *and* within tell Snort where to stop looking based on where it started looking. So you can have distance and use depth if you want and it is perfectly OK to do this. Do not be afraid. The only reason within exists is so if you have a situation where you don't use distance but want to make sure no more than N bytes are between content matches. But within isn't really necessary. In fact, we could get rid of within in the case described and just add distance:0; and use depth. Hope this helps clarify a few things about the within content modifier. Cheers, -L0rd Ch0de1m0rt ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Joel Esler-- Joel Esler
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- No need for content modifier 'within' L0rd Ch0de1m0rt (Jun 10)
- Re: No need for content modifier 'within' Joel Esler (Jun 10)
- Re: No need for content modifier 'within' L0rd Ch0de1m0rt (Jun 10)
- Re: No need for content modifier 'within' Joel Esler (Jun 10)
- Re: No need for content modifier 'within' L0rd Ch0de1m0rt (Jun 10)
- Re: No need for content modifier 'within' Matt Olney (Jun 10)
- Re: No need for content modifier 'within' Crook, Parker (Jun 10)
- Re: No need for content modifier 'within' Crook, Parker (Jun 10)
- Re: No need for content modifier 'within' L0rd Ch0de1m0rt (Jun 10)
- Re: No need for content modifier 'within' Joel Esler (Jun 10)
- <Possible follow-ups>
- FW: No need for content modifier 'within' Crook, Parker (Jun 11)
- Re: FW: No need for content modifier 'within' Sandro guly Zaccarini (Jun 11)