Snort mailing list archives
Length encoded protocol / LDAP and BER
From: FOULDE Damien <damien.foulde () axians com>
Date: Wed, 25 Jan 2017 18:38:28 +0000
Hello, Im faced to an issue to dissect a length encoded protocol, LDAP in my case which uses BER. Im blocked because the value extracted through byte_extract can only be supplied to the offset argument of the byte_jump rule keyword and not to the bytes_to_convert argument. Let me take an example, I have the bytes below and I need to check the 0x80 byte : 82 00 05 12 24 56 78 12 80 0x82 = 10000010 The MSB is set to 1, so the value of the 7 other bits is not the length of the data but the number of bytes used to describe the length of the data, in this example, the number of bytes to describe the length of the data is 0000010 = 2 We can get this value through byte_extract:1,0,var_length,relative,bitmask 0x7f;. Then we would need to get the 00 05 = 5 value, to jump over the 5 following bytes : 12 24 56 78 12 and finally be able to test the 0x80 content we need to check. This could be achieved through byte_jump:var_length,0,relative; if the byte_jump rule keyword would accept an extracted value for the bytes_to_convert argument, unfortunately this is not the case. Did I missed a snort feature which could achieve this ? Do you know if there is already a feature request for something like this ? Thank you & regards, Damien
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Length encoded protocol / LDAP and BER FOULDE Damien (Jan 25)
- Re: Length encoded protocol / LDAP and BER FOULDE Damien (Feb 11)
- Re: Length encoded protocol / LDAP and BER Joel Esler (jesler) (Feb 11)
- Re: Length encoded protocol / LDAP and BER Russ (Feb 13)
- Re: Length encoded protocol / LDAP and BER FOULDE Damien (Feb 13)
- Re: Length encoded protocol / LDAP and BER FOULDE Damien (Feb 11)