Snort mailing list archives
Classify rules by offset and the usage of byte_jump
From: "Tommy Lin" <ljxsgtc () gmail com>
Date: Tue, 30 Jun 2015 04:35:27 -0700 (PDT)
Hi everyone, I am new to Snort. Here are some questions I come up with during the learning of Snort 1. After looking through some rule sets. I am wondering that whether it is possible to classify rules by the offset of the content it contains. To be more specific, Is it possible for an adversary to guess the goal of a rule by only knowing the value of offset, depth, within and distance that rule has. For example, if a rule contain the option depth:3, the adversary can guess that this rule aims at http get request packet. 2. Some rules have two consecutive byte_jump option. For example, alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;) Can I merge the two options into one? If not, could you please show me an example. Actually, after reading the user manual and several times of google, I still don’t know what the exactly the byte_jump does. Thanks and regards, Tommy Lin — Sent from Mailbox
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Classify rules by offset and the usage of byte_jump Tommy Lin (Jun 30)
- Re: Classify rules by offset and the usage of byte_jump Alex McDonnell (Jun 30)