Snort mailing list archives
Re: Question regarding distances after a byte_jump...
From: evejou <girl () techn0ev3 net>
Date: Fri, 17 Dec 2010 01:20:29 -0500
Grr.. I suddenly realized why my signature was all messed up; my fatal mistake was forgetting that from_beginning meant: "from the VERY BEGINNING, from the HTTP header in my packet, which I totally forgot was there." Suddenly all of my results make sense. :P Thanks Joel... Sorry to bother. Also, what's the difference (if there is any) between setting "post_offset 2" and using "distance:2"? On Thu, Dec 16, 2010 at 7:37 PM, Joel Esler <jesler () sourcefire com> wrote:
Two things that I see right away that you might want to try and make your life easier. from_beginning's function is to start it's packet jumping at the beginning of the packet, as opposed to where your pointer is, and I am not sure that's what you are trying to do from reading your email. Also, post_offset can confuse the novice, so you might want go make it simpler for you. content:"|MM MM|"; byte_jump:3,0,relative; content:"|AA AA|"; distance:2; within:2; From reading your email, that might be what you are trying to do, please let me know? Joel On Dec 16, 2010, at 5:55 PM, evejou wrote:I was trying to write a signature for Snort v2.6.1.5. I have a questionabout using the distance/within tags after a byte_test, if that's even proper use for it. Oops. I meant, byte_jump. On Thu, Dec 16, 2010 at 5:54 PM, evejou <girl () techn0ev3 net> wrote:Hi, I was trying to write a signature for Snort v2.6.1.5. I have a question about using the distance/within tags after a byte_test, if that's even proper use for it. Say there's a packet that looks kind of like this: MM MM OO OO OO [....] TT XX XX AA AA ... (MM -- magic number) (OO -- offset value that points to the TTs; this offset counts from the beginning of the file) (XX XX -- 2 bytes that I don't care about) I was trying to figure out where the pointer would be after a byte_jump, so I tried to write the following to see if it would trigger: *content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|AA AA|"; distance:0; within:2;* I noticed that this didn't trigger, but that it did when I removed the "within:2" part. And then I tried the following: *content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|OO OO OO|"; distance:0; within:3;* and this triggered as well. My first question is whether this is expected behavior (or am I doing something wrong?), and adjunctly to that, how I could get a hit on that second content tag (the |AA AA| part)... Thanks, Alice -- --- girl () techn0ev3 net Finché c'è vita, c'è speranza. As long as there is life, there is hope.-- --- girl () techn0ev3 net Finché c'è vita, c'è speranza. As long as there is life, there is hope. ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- --- girl () techn0ev3 net Finché c'è vita, c'è speranza. As long as there is life, there is hope.
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Question regarding distances after a byte_jump... evejou (Dec 16)
- Re: Question regarding distances after a byte_jump... evejou (Dec 16)
- Re: Question regarding distances after a byte_jump... Joel Esler (Dec 16)
- Re: Question regarding distances after a byte_jump... evejou (Dec 16)
- Re: Question regarding distances after a byte_jump... Joel Esler (Dec 16)
- Re: Question regarding distances after a byte_jump... Joel Esler (Dec 16)
- Re: Question regarding distances after a byte_jump... evejou (Dec 16)