Snort mailing list archives
Re: Detection of hex pattern given directly in a TCP header
From: Russ via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 24 Oct 2017 09:59:11 -0400
Snort++ now has rule options for mss and wscale in the extras. Pull from github and follow the steps in extra/README to build and run with the external plugins.
https://github.com/snortadmin/snort3 Hope that helps. Russ On 10/16/17 5:22 PM, Patrick Mullen wrote:
If you are handy with C, you can also write a shared object rule to access that data.The file os-windows_ms-windows-tcp-mss.c, available in the rule pack, accesses the TCP options and does some value validation. You may also find server-other_openssl-dtls-hs-fragment.c helpful, but both of these are not simple SO Rules and sorry but I cannot go through and explain them. But if you're comfortable programming C, they should give you some pointers in the right direction.Thanks, ~PatrickOn Thu, Oct 12, 2017 at 7:07 PM, ustas <ustas () ispras ru <mailto:ustas () ispras ru>> wrote:Hello Russ, I think detection of the particular values is what i need, so it would be great if you help me get appropriate rule options. Best Regards, Ustas. Russ писал 2017-10-13 00:44: If you are looking for particular values instead of specific conditions that the preprocessor may detect, I can help you get rule options running for Snort++. On 10/12/17 4:55 PM, rmkml wrote: Try stream5 preproc with detect_anomalies enabled, Could you share a pcap for testing ? Best Regards @Rmkml On Thu, 12 Oct 2017, Yury Markin wrote: Rmkml, thank you for the answer! I want to detect packets with certain values of TCP options, e.g. packets with max segment size (1000) and window scale (0). It would be great if you can advise how this scenario may be implemented. Best wishes, Ustas. Чт 12.10.2017 20:34, rmkml пишет: Hi Ustas, Yes you are right, is not possible to detect content on tcp header, but could you describe more what you want to detect exactly on tcp header please ? Best Regards @Rmkml On Thu, 12 Oct 2017, Маркин Юрий Витальевич wrote: Hello, I'm trying to create the Snort rule for detection hex pattern given directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far as I know 'content' keyword can not help me because it is used to search hex pattern in a transport layer protocol payload, but not in the payload of network layer protocol. I tried to use 'offset' keyword with a negative value to "move" a cursor to the left of the TCP payload, but this method has failed. Is it possible for Snort to detect hex pattern in a TCP header? Thanks in advance._______________________________________________Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>! -- Patrick Mullen Response Research Manager Cisco TALOS
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Detection of hex pattern given directly in a TCP header Маркин Юрий Витальевич (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Patrick Mullen (Oct 16)
- Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 24)
- Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)