Snort mailing list archives
Re: Urgent Pointer
From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Thu, 30 Jun 2016 20:54:54 -0400
Hey Ray, Sounds like an interesting problem. Do you have a pcap you could share? The uint16 that is the urgent pointer is not available to analyze in a text rule, but the URG flag can be checked in a text rule. However, it might be possible to write a shared object rule to check for a nonzero urgent pointer and alert/block: typedef struct _TCPHeader { uint16_t source_port; uint16_t destination_port; uint32_t sequence; uint32_t acknowledgement; uint8_t offset_reserved; uint8_t flags; uint16_t window; uint16_t checksum; uint16_t urgent_pointer; } TCPHeader; You can also configure the normalize preprocessor to zero this pointer if the URG flag is not set. This won't generate an alert (though it will be reflected in the normalizer stats) but since this is related here is the option to set: req_urg: clear the urgent pointer if the urgent flag is not set. On Thu, Jun 30, 2016 at 3:34 PM, Pittigher, Raymond <RPITTIGH () harris com> wrote:
Here are 2 captures of the things I am trying to catch - Ray Pittigher --Harris --phone 973-284-2275 --email raymond.pittigher () harris com ________________________________________ From: Al Lewis (allewi) <allewi () cisco com> Sent: Thursday, June 30, 2016 2:03 PM To: Pittigher, Raymond (U.S. Person); snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Urgent Pointer Can you provide an example of the rule/pcap and what you are trying to do? Thanks. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Email: allewi () cisco com On 6/30/16, 1:55 PM, "Pittigher, Raymond" <RPITTIGH () harris com> wrote:I tried the ack keyword but I found no option for !0 or looking foranything but zero. It seems to either want 0 or a exact number.- Ray Pittigher --Harris --phone 973-284-2275 --email raymond.pittigher () harris com ________________________________________ From: Al Lewis (allewi) <allewi () cisco com> Sent: Thursday, June 30, 2016 1:49 PM To: Pittigher, Raymond (U.S. Person); snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Urgent Pointer Offset is used for content. Try this: For flags:http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION00468000000000000000For ack number:http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION004612000000000000000Thanks. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Email: allewi () cisco com On 6/30/16, 1:29 PM, "Pittigher, Raymond" <RPITTIGH () harris com> wrote:I am trying, but have not succeeded yet, to read data in the "urgentpointer" or "acknowledgement number" fields. I am trying with the offset option assuming it must be a negative number? I am using snort on the command line with a pcap file. Anybody ever do this?------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Urgent Pointer Pittigher, Raymond (Jun 30)
- Re: Urgent Pointer Y M (Jun 30)
- <Possible follow-ups>
- Re: Urgent Pointer Al Lewis (allewi) (Jun 30)
- Re: Urgent Pointer Pittigher, Raymond (Jun 30)
- Re: Urgent Pointer Al Lewis (allewi) (Jun 30)
- Re: Urgent Pointer Pittigher, Raymond (Jun 30)
- Re: Urgent Pointer Geoffrey Serrao (Jun 30)
- Re: Urgent Pointer Pittigher, Raymond (Jun 30)
- Re: Urgent Pointer Pittigher, Raymond (Jun 30)