Snort mailing list archives
Re: [Snort-sigs] question about isdataat
From: Joel Esler <eslerj () gmail com>
Date: Mon, 6 Jul 2009 08:41:54 -0400
2009/7/5 김무성 <kimms () infosec co kr>
this is description about isdataat option in snort manual. isdataat Verify that the payload has data at a specified location, optionally looking for data relative to the end of the previous content match. Format isdataat:<int>[,relative]; Example alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative; content:!"|0a|"; distance:0;) This rule looks for the string PASS exists in the packet, then verifies there is at least 50 bytes after the end of the string PASS, then verifies that there is not a newline character within 50 bytes of the end of the PASS string.
This is just an example.
so i tested. my test rule is this alert tcp any any -> any any (content:"kmsjlove"; nocase; depth:8; isdataat:50, relative; content:"|0a|"; distance:0;)
Look for "kmsjlove" no more than 8 bytes from the beginning of the packet, then skip ahead 50 bytes, relative to the end of the previous content match, which is "kmsjlove" and see if data is there. Then, do a content match for the hex string 0a, at a distance of 0 relative to the end of the previous content match, which is "kmsjlove". Does that help? Isdataat is a "Read ahead" to see if data exists at some point (in your case, 50, relative) in the packet. Doesn't matter what the data is, just as long as data exists. Isdataat does not set pointers. -- joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-sigs] question about isdataat Joel Esler (Jul 06)