Snort mailing list archives
Re: byte_test and buffer cursor
From: Y M <snort () outlook com>
Date: Thu, 9 Feb 2017 22:14:07 +0000
That was it, Alex. The "string" and "dec" did the trick. I haven't paid enough attention to these options but the last detail you provided was an aha/hmm moment. Thanks a bunch. YM ________________________________ From: Alex McDonnell <amcdonnell () sourcefire com> Sent: Friday, February 10, 2017 1:07:42 AM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] byte_test and buffer cursor Your test would go better if you specified "string" and "dec" in your byte test so that snort interprets those bytes as 124 and not 0x313234 which is a very different number. Byte test can go up to 10 bytes and with the string option will stop at the first non ascii number byte, like 0x0D. On Thu, Feb 9, 2017 at 5:00 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Thank you Alex. I did go through the manual and I guess I must have missed it, at least in the byte_test section. Using the value I am expecting in the second byte_test did not yield a match: content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,=,165,0,relative; Keeping only the first byte_test yields a match: content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative; Using a single byte_test with the value I am expecting does not yield a match: content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,=,165,0,relative; tshark -nn -r capture.pcap -Y 'http.request.method == POST' -T fields -e http.content_length | sort | uniq 124 165 89 93 Just to verify my understanding, the first content match should set the cursor to the next byte right after the matched content, correct? I guess this is not the best to do it since the Content-Length is a lot more variable than I thought + historical data. Back to the drawing board. Thanks again Alex. YM ________________________________ From: Alex McDonnell <amcdonnell () sourcefire com<mailto:amcdonnell () sourcefire com>> Sent: Friday, February 10, 2017 12:34:23 AM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] byte_test and buffer cursor I'm pretty sure that's in the Snort Manual, byte_test does not move the cursor, byte_extract does. You could also test for the value you expect in your second test to verify ;) Alex McDonnell TALOS On Thu, Feb 9, 2017 at 4:30 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which the byte_test is operating? In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal range. Something similar to: http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative; If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong? YM ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- byte_test and buffer cursor Y M (Feb 09)
- Re: byte_test and buffer cursor Alex McDonnell (Feb 09)
- Re: byte_test and buffer cursor Y M (Feb 09)
- Re: byte_test and buffer cursor Alex McDonnell (Feb 09)
- Re: byte_test and buffer cursor Y M (Feb 09)
- Re: byte_test and buffer cursor Y M (Feb 09)
- Re: byte_test and buffer cursor Alex McDonnell (Feb 09)