Snort mailing list archives
Re: Rule to capture only packets with certain content/bytes
From: Brian <bmc () snort org>
Date: Sun, 30 Nov 2003 17:53:03 -0500
I've added snort-sigs, since this discussion should there. Ok, first things first. Don't use tcpdump for your packet display. You are seeing the Ethernet, IP and UDP headers. (BTW... I'm guessing 217.82.XXX.XXX is you?) Lets cut out everything that isn't the UDP datagram. We get this:
8B 0F 00 4D 4A 31 ....l..!.X...MJ1 0030 32 20 7C 7C 20 4D 61 73 74 65 72 00 00 00 96 18 2 || Master..... 0040 00 00 00 ...
and this:
8B 1F 00 49 68 61 ..8Bl..1n....Iha 0030 76 65 61 6C 6F 6E 67 6E 61 6D 65 73 69 6E 63 65 vealongnamesince 0040 73 70 6F 6F 6B 73 74 61 68 74 6F 00 00 00 96 29 spookstahto....) 0050 00 00 00 ...
Now thats a ton less data to look at. Lets try and figure out this protocol. 1) the first byte is similar. (0x8B) 2) the second byte looks like the length of the message being sent. ("Ihavealongnamesincespookstahto" in the second example) 3) after the message, there is a similar string (0x00000096, not 0x00000090 like you mentioned) 4) one byte after the previous string there is another similar string (0x000000) So lets put the meat of the rule together based on what we figured out. content:"|8B|"; depth:1; byte_jump:1,1; content:"|00 00 00 96|"; distace:0; within:4; content:"|00 00 00|"; distance:1; within:3; Since you say this traffic is always on port 27888, we can include that in the rule as well. Our finished rule now looks like this: alert udp any any -> any 27888 (content:"|8B|"; depth:1; byte_jump:1,1; content:"|00 00 00 96|"; distace:0; within:4; content:"|00 00 00|"; distance:1; within:3;) Of course, you need a sid, a classtype, and a messsage. Oh, and references to what this packet means would be useful too. :P -brian ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule to capture only packets with certain content/bytes Admin (Nov 30)
- Re: Rule to capture only packets with certain content/bytes Brian (Nov 30)