Snort mailing list archives
Re: Are there examples for SO rules including ByteExtract?
From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 16 Jul 2015 12:26:06 -0400
Martin, byte_extract isn't supported in the generator at this time because you're already in C so reading values from the payload is trivial. Inside of so-util.h, there are functions and macros that make it even easier (read_big_32, read_little_16, etc). isdataat is implemented through pointer math -- if(cursor_normal + size_you_are_checking > end_of_payload) { return RULE_NOMATCH; /* not enough data available */ } . end_of_payload would be set by a call to getBuffer() earlier in the code. cursor_normal is wherever you are currently located in the payload. Look for usages of these functions in the so_rules directory (downloaded with the rules tarball from snort.org) for examples; there are many. Our coding guidelines should make all of the terms I used in my examples show up many times. There may also be ways to do this within a text rule. There are features like post_offset and such to handle sizes that include additional header information or whatnot, and there's no reason you couldn't byte_extract an offset to find the size field you are looking for at another offset. Or, perhaps another strategy could be used to avoid these complications. I always preach the concept of "good enough" detection. This isn't to say "half-assed" detection; I generally don't let our people get away with weak stuff, but in many instances detection that may not be 100% perfect is more than adequate for detecting bad people doing bad things on the Internet while being suitably resistant to false positives. And sometimes, because the rule is more loose, we end up catching other shenanigans we weren't even aware of when we wrote the rule! Thanks, ~Patrick On Wed, Jul 15, 2015 at 7:58 AM, Martin Aman <martin.aman () th-deg de> wrote:
Hello, I am trying to write a rule that reads the length of a header part of an application protocol and use that number to verify the correct length of the entire packet. But there is an additional offset (read number does not equal length) that makes it quite hard to solve. A possible way would be to write a non-SO rule with byte_extract and isdataat with the corresponding offset. The only problem is that I would need to add an offset to the offset which doesn't seem to work as of yet. In my research I have found this VRT Shared Object Rule Generator (https://labs.snort.org/cgi-bin/sorules.cgi) which is supposed to help me with writing SO rules but I can't get it to parse the following rule which works fine with Snort 2.9.7.2: alert udp any any -> any any (msg: "trying to check for length"; content: "|FF FF FF FF|"; offset: 0; depth: 4; byte_extract:4,0,len_value; isdataat:len_value; classtype:attempted-recon; sid: 12345678; rev:1;) Since I haven't seen any other blog entries than http://vrt-blog.snort.org/2010/02/introduction-to-shared-object-rules.ht ml and I have neither found a Snort Plugin API documentation nor other information on the Snort mailing list or on the Internet in general... ... I'd like to ask if somebody is willing to share a few basic examples for writing SO rules in general and how to use ByteExtract with ByteTest and isdataat/Cursor specifically. Also recommendations for resources and books are welcomed. Thanking you in advance. Yours faithfully, Martin Aman ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Patrick Mullen Response Research Manager Sourcefire VRT
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Are there examples for SO rules including ByteExtract? Martin Aman (Jul 16)
- Re: Are there examples for SO rules including ByteExtract? Patrick Mullen (Jul 16)