Snort mailing list archives
Re: Question on the relationship between byte_jump and content options
From: Tyler Smith <tyler.smith () adventiumlabs com>
Date: Wed, 24 Jun 2015 08:23:32 -0500
OK, that makes sense. Extrapolating from your reply, are the following statements accurate? * The ‘within’ content modifier is dependent on the position of cursor. * The cursor position is (potentially) updated by each option in the rule as read from left to right. That is, a ‘content’ match will update the cursor position, just as byte_jump will update it. Thanks, Tyler
On Jun 24, 2015, at 8:18 AM, Alex McDonnell <amcdonnell () sourcefire com> wrote: Byte_jump is not a content modifier but a standalone operation that moves the cursor (or point of inspection) this way a rule can skip over a record whose length we can read in the data. In the above example, we find a content match, read 2 bytes and jump that number of bytes from where the content was found, then we look for 3 static bytes right after where we land. hope this helps. Alex McDonnell TALOS On Wed, Jun 24, 2015 at 8:57 AM, Tyler Smith <tyler.smith () adventiumlabs com <mailto:tyler.smith () adventiumlabs com>> wrote: Is the behavior of the ‘content' option affected by ‘byte_jump' options before or after it in a rule? The content manual page doesn’t list byte_jump as one of the available content modifiers, but some rules (e.g., sid 30777) appear to be written with an assumption that different content will be found following a byte_jump: LEFT RULE: alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt”; flow:to_client,established; content:"|16 03 00|”; byte_jump:2,0,relative; content:"|18 03 00|”; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:3;) Thanks, Tyler P.S. Documentation I’m referring to: http://manual.snort.org/node32.html#SECTION00451300000000000000 <http://manual.snort.org/node32.html#SECTION00451300000000000000> ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o <http://ad.doubleclick.net/ddm/clk/292181274;119417398;o> _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs> http://www.snort.org <http://www.snort.org/> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question on the relationship between byte_jump and content options Tyler Smith (Jun 24)
- Re: Question on the relationship between byte_jump and content options Alex McDonnell (Jun 24)
- Re: Question on the relationship between byte_jump and content options Tyler Smith (Jun 24)
- Re: Question on the relationship between byte_jump and content options Alex McDonnell (Jun 24)
- Re: Question on the relationship between byte_jump and content options Tyler Smith (Jun 24)
- Re: Question on the relationship between byte_jump and content options Alex McDonnell (Jun 24)