Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: byte_test and buffer cursor

From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Thu, 9 Feb 2017 17:07:42 -0500
Your test would go better if you specified "string" and "dec" in your byte
test so that snort interprets those bytes as 124 and not 0x313234 which is
a very different number. Byte test can go up to 10 bytes and with the
string option will stop at the first non ascii number byte, like 0x0D.

On Thu, Feb 9, 2017 at 5:00 PM, Y M <snort () outlook com> wrote:


Thank you Alex.


I did go through the manual and I guess I must have missed it, at least
in the byte_test section.


Using the value I am expecting in the second byte_test did not yield
a match:


content:"Content-Length|3A 20|"; http_raw_header;
byte_test:3,>,160,0,relative; byte_test:3,=,165,0,relative;


Keeping only the first byte_test yields a match:


content:"Content-Length|3A 20|"; http_raw_header;
byte_test:3,>,160,0,relative;


Using a single byte_test with the value I am expecting does not yield a
match:


content:"Content-Length|3A 20|"; http_raw_header;
byte_test:3,=,165,0,relative;


tshark -nn -r capture.pcap -Y 'http.request.method == POST' -T fields -e
http.content_length | sort | uniq


124
165
89
93

Just to verify my understanding, the first content match should set the
cursor to the next byte right after the matched content, correct? I
guess this is not the best to do it since the Content-Length is a lot more
variable than I thought + historical data. Back to the drawing board.


Thanks again Alex.

YM
------------------------------
*From:* Alex McDonnell <amcdonnell () sourcefire com>
*Sent:* Friday, February 10, 2017 12:34:23 AM
*To:* Y M
*Cc:* snort-sigs
*Subject:* Re: [Snort-sigs] byte_test and buffer cursor

I'm pretty sure that's in the Snort Manual, byte_test does not move the
cursor, byte_extract does. You could also test for the value you expect in
your second test to verify ;)

Alex McDonnell
TALOS

On Thu, Feb 9, 2017 at 4:30 PM, Y M <snort () outlook com> wrote:


Does a byte_test move the cursor into a buffer the number of bytes it
tests? Does is depend on the buffer against which the byte_test is
operating?


In essence, I am trying to use byte_test to validate that the decimal
value of X number of bytes fall within a decimal range. Something similar
to:


http_raw_header; byte_test:3,>,160,0,relative;
byte_test:3,<,170,0,relative;


If the first byte_test above moves the cursor 3 bytes into the buffer,
how can I reset the cursor back to the beginning of the buffer of the
last/relative content match (http_raw_header)? Or am I just doing it all
wrong?


YM




------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: