Snort mailing list archives

RE: offset help.

From: Ciprian Badescu <ciprian.badescu () alcatel ro>
Date: Thu, 19 Jun 2003 16:39:23 +0300 (EEST)

Hi,

You have two offset definitions in your rule.
Check also:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.10

The number represents number of bytes (you can see a byte as two hex
numbers).

--
______V______   Ciprian Badescu
A L C A T E L   Mobile Networks Division R&D Center
Phone: +40 56 303100 (ext. 5786)
Fax: +40 56 295386
Email: Ciprian.Badescu () alcatel ro

On Thu, 19 Jun 2003, larosa, vjay wrote:

Date: Thu, 19 Jun 2003 08:34:09 -0400
From: "larosa, vjay" <larosa_vjay () emc com>
To: "'snort-users () lists sourceforge net'"
    <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] offset help.

Hello Everybody,

I posted this message yesterday and did some more fooling around with the
offset keyword but still no luck. Does anybody know if the offset and depth
keywords are specified in hex or decimal?

Thanks!

vjl

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay () emc com]
Sent: Wednesday, June 18, 2003 4:28 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] offset help.

Hello,

I have been killing myself all afternoon trying to get a rule to work using
the offset and depth keywords.
If I am trying to match the pattern 07 00 00 00 in this is the packet with
the following rule. Can anybody tell me what I am doing wrong with the depth
and offset keywords?

Thanks!

vjl

alert tcp any any -> any 139 (msg:"File Write to Win 2K Startup folder.";
flow:to_server,established
; content:"|ff 53 4d 42 a2|"; depth:48; content:"|5c
00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|s|00
| |00|a|00|n|00|d|00| |00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00 5c 00|";
content:"|5c 00|S|00|t|00
|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5c
00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5c 00|S|00|t|
00|a|00|r|00|t|00|u|00|p|00 5c 00|"; content:"|3a 00 24
00|D|00|A|00|T|00|A|00|"; content:"|07 00 00
 00|"; offset:121; depth: 8; classtype:misc-activity; rev:1;)

06/18-14:36:46.956661 128.221.20.13:1499 -> 128.221.20.34:139
TCP TTL:128 TOS:0x0 ID:33861 IpLen:20 DgmLen:354 DF
***AP*** Seq: 0x8A6230AB  Ack: 0xADE3E800  Win: 0xFDFF  TcpLen: 20
0x0000: 00 06 5B 04 18 A6 00 0B DB 19 79 AD 08 00 45 00  ..[.......y...E.
0x0010: 01 62 84 45 40 00 80 06 4B 67 80 DD 14 0D 80 DD  .b.E ()    Kg......
0x0020: 14 22 05 DB 00 8B 8A 62 30 AB AD E3 E8 00 50 18  .".....b0.....P.
0x0030: FD FF 84 12 00 00 00 00 01 36 FF 53 4D 42 A2 00  .........6.SMB..
0x0040: 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 02 70 AC 0A 03 D0 43 5C 18 FF 00 DE DE 00  ...p....C\......
0x0060: E0 00 16 00 00 00 00 00 00 00 89 00 02 00 00 00  ................
0x0070: 00 00 00 00 00 00 80 00 00 00 07 00 00 00 01 00  ................
0x0080: 00 00 00 00 00 00 02 00 00 00 00 E3 00 00 5C 00  ..............\.
0x0090: 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00  D.o.c.u.m.e.n.t.
0x00A0: 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00  s. .a.n.d. .S.e.
0x00B0: 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00  t.t.i.n.g.s.\.A.
0x00C0: 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00  d.m.i.n.i.s.t.r.
0x00D0: 61 00 74 00 6F 00 72 00 5C 00 53 00 74 00 61 00  a.t.o.r.\.S.t.a.
0x00E0: 72 00 74 00 20 00 4D 00 65 00 6E 00 75 00 5C 00  r.t. .M.e.n.u.\.
0x00F0: 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 73 00  P.r.o.g.r.a.m.s.
0x0100: 5C 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00  \.S.t.a.r.t.u.p.
0x0110: 5C 00 45 00 46 00 4C 00 48 00 33 00 30 00 31 00  \.E.F.L.H.3.0.1.
0x0120: 31 00 2E 00 50 00 50 00 44 00 3A 00 05 00 52 00  1...P.P.D.:...R.
0x0130: 61 00 65 00 63 00 32 00 35 00 70 00 68 00 34 00  a.e.c.2.5.p.h.4.
0x0140: 73 00 75 00 64 00 62 00 66 00 30 00 68 00 41 00  s.u.d.b.f.0.h.A.
0x0150: 61 00 71 00 35 00 65 00 68 00 77 00 33 00 4E 00  a.q.5.e.h.w.3.N.
0x0160: 66 00 3A 00 24 00 44 00 41 00 54 00 41 00 00 00  f.:.$.D.A.T.A...

V.Jay LaRosa                   EMC Corporation
Information Security          4400 Computer Dr.
(508)898-7433 Office       Westboro, MA 01580
(508)353-1348 Cell           www.emc.com <http://www.emc.com>
888-799-9750 Pager         vjl () emc com



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

offset help. larosa, vjay (Jun 18)
- <Possible follow-ups>
- RE: offset help. larosa, vjay (Jun 19)
  - RE: offset help. Ciprian Badescu (Jun 19)
- RE: offset help. larosa, vjay (Jun 19)