Re: Question regarding distances after a byte_jump...

[evejou <girl () techn0ev3 net>]

Grr.. I suddenly realized why my signature was all messed up; my fatal
mistake was forgetting that from_beginning meant: "from the VERY BEGINNING,
from the HTTP header in my packet, which I totally forgot was there."
Suddenly all of my results make sense. :P

Thanks Joel... Sorry to bother.

Also, what's the difference (if there is any) between setting "post_offset
2" and using "distance:2"?



On Thu, Dec 16, 2010 at 7:37 PM, Joel Esler <jesler () sourcefire com> wrote:

> Two things that I see right away that you might want to try and make your
> life easier.
>
> from_beginning's function is to start it's packet jumping at the beginning
> of the packet, as opposed to where your pointer is, and I am not sure that's
> what you are trying to do from reading your email.
>
> Also, post_offset can confuse the novice, so you might want go make it
> simpler for you.
>
> content:"|MM MM|"; byte_jump:3,0,relative; content:"|AA AA|"; distance:2;
> within:2;
>
>
> From reading your email, that might be what you are trying to do, please
> let me know?
>
> Joel
>
> On Dec 16, 2010, at 5:55 PM, evejou wrote:
>
>
>
> > I was trying to write a signature for Snort v2.6.1.5. I have a question
> about using the distance/within tags after a byte_test, if that's even
> proper use for it.
>
> Oops. I meant, byte_jump.
>
>
>
> On Thu, Dec 16, 2010 at 5:54 PM, evejou <girl () techn0ev3 net> wrote:
>
> > Hi,
> >
> > I was trying to write a signature for Snort v2.6.1.5. I have a question
> > about using the distance/within tags after a byte_test, if that's even
> > proper use for it.
> >
> > Say there's a packet that looks kind of like this:
> >
> > MM MM OO OO OO [....] TT XX XX AA AA ...
> >
> > (MM -- magic number)
> > (OO -- offset value that points to the TTs; this offset counts from the
> > beginning of the file)
> > (XX XX -- 2 bytes that I don't care about)
> >
> > I was trying to figure out where the pointer would be after a byte_jump,
> > so I tried to write the following to see if it would trigger:
> >       *content:"|MM MM|";
> > byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|AA AA|";
> > distance:0; within:2;*
> > I noticed that this didn't trigger, but that it did when I removed the
> > "within:2" part.
> >
> >
> > And then I tried the following:
> >       *content:"|MM MM|";
> > byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|OO OO OO|";
> > distance:0; within:3;*
> > and this triggered as well.
> >
> > My first question is whether this is expected behavior (or am I doing
> > something wrong?), and adjunctly to that, how I could get a hit on that
> > second content tag (the |AA AA| part)...
> >
> >
> > Thanks,
> > Alice
> >
> > --
> > ---
> > girl () techn0ev3 net
> >
> > Finché c'è vita, c'è speranza.
> > As long as there is life, there is hope.
>
>
>
> --
> ---
> girl () techn0ev3 net
>
> Finché c'è vita, c'è speranza.
> As long as there is life, there is hope.
>
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
>
> http://p.sf.net/sfu/lotusphere-d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


-- 
---
girl () techn0ev3 net

Finché c'è vita, c'è speranza.
As long as there is life, there is hope.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs