Re: byte_test and buffer cursor

[Y M <snort () outlook com>]

That was it, Alex. The "string" and "dec" did the trick. I haven't paid enough attention to these options but the last 
detail you provided was an aha/hmm moment.


Thanks a bunch.

YM

________________________________
From: Alex McDonnell <amcdonnell () sourcefire com>
Sent: Friday, February 10, 2017 1:07:42 AM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] byte_test and buffer cursor

Your test would go better if you specified "string" and "dec" in your byte test so that snort interprets those bytes as 
124 and not 0x313234 which is a very different number. Byte test can go up to 10 bytes and with the string option will 
stop at the first non ascii number byte, like 0x0D.

On Thu, Feb 9, 2017 at 5:00 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:

Thank you Alex.


I did go through the manual and I guess I must have missed it, at least in the byte_test section.


Using the value I am expecting in the second byte_test did not yield a match:


content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,=,165,0,relative;


Keeping only the first byte_test yields a match:


content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative;


Using a single byte_test with the value I am expecting does not yield a match:


content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,=,165,0,relative;


tshark -nn -r capture.pcap -Y 'http.request.method == POST' -T fields -e http.content_length | sort | uniq


124
165
89
93


Just to verify my understanding, the first content match should set the cursor to the next byte right after the matched 
content, correct? I guess this is not the best to do it since the Content-Length is a lot more variable than I thought 
+ historical data. Back to the drawing board.


Thanks again Alex.

YM

________________________________
From: Alex McDonnell <amcdonnell () sourcefire com<mailto:amcdonnell () sourcefire com>>
Sent: Friday, February 10, 2017 12:34:23 AM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] byte_test and buffer cursor

I'm pretty sure that's in the Snort Manual, byte_test does not move the cursor, byte_extract does. You could also test 
for the value you expect in your second test to verify ;)

Alex McDonnell
TALOS

On Thu, Feb 9, 2017 at 4:30 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:

Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which 
the byte_test is operating?


In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal 
range. Something similar to:


http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative;


If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning 
of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong?


YM



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!