Snort mailing list archives
Re: [PATCH 1/5]: byte_test: support bitwise OR
From: <Joshua.Kinard () us-cert gov>
Date: Wed, 4 May 2011 17:50:59 -0500
Yeah, I was pondering for a bit whether bitwise OR was even necessary, but couldn't think of anything. Then thought, "well, we have AND and XOR, so why not OR?". I figured one of your guys might have already considered it by now. Thanks for the feedback! The 'mask' idea simply extends byte_test's '&' operator to byte_jump and byte_extract. Kinda got the idea from the below VRT blog and found out its usefulness w/ the compression pointer in DNS: http://vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html Also, it looks like (maybe?) dcerpc2's implementation of byte_extract is incomplete. I know byte_jump and byte_extract share a lot of the same option fields, so maybe a lot of the code is merged and I just missed the bit that does one or the other. Has anyone looked at a better way to "override" rule options other than duplicating a lot of the code, as is the case w/ dcerpc2 and the three byte manipulation options? The parsing code at least appears to be much more robust in dcerpc2's implementations. Thanks!, --J -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Tuesday, May 03, 2011 3:23 PM To: Kinard, Joshua A Cc: snort-devel () lists sourceforge net Subject: Re: [Snort-devel] [PATCH 1/5]: byte_test: support bitwise OR Hi Joshua, I'm in the process of reviewing your patches now, but I figured I'd respond to this one early. I should be responding to your other emails by today or tomorrow. The attached patch does work as advertised, but using a bitwise OR in a byte_test option doesn't actually detect anything. The byte_test option works by applying an operation, then checking for a non-zero result. In the case of bitwise OR, any non-zero "value" parameter will always cause the option to match regardless of packet data. I nearly added this myself in Snort 2.8.5, until I sat and thought about actual use cases. :) Good call on the error in the manual. We'll make sure that gets fixed. Thanks, Ryan On Fri, Apr 29, 2011 at 12:41 AM, <Joshua.Kinard () us-cert gov> wrote:
Hi snort-devel, The attached patch adds bitwise OR support for byte_test. Bitwise AND and bitwise XOR is already supported**, thus I figure bitwise OR can't hurt. I cannot yet think of a use for it, but I'm sure someone out there has pondered it. Note: The manual calls bitwise XOR "OR". This is fixed in a follow-on patch to the manual. Note: Please double check-this for accuracy. There appears to be a fair bit of duplicated code in Snort, so I hope I hit all the right places. A patch specific to dcerpc2 will follow for this feature and a few others. Cheers!, --J ---------------------------------------------------------------------- -------- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [PATCH 1/5]: byte_test: support bitwise OR Joshua.Kinard (Apr 28)
- Re: [PATCH 1/5]: byte_test: support bitwise OR Ryan Jordan (May 03)
- Re: [PATCH 1/5]: byte_test: support bitwise OR Joshua.Kinard (May 04)
- Re: [PATCH 1/5]: byte_test: support bitwise OR Ryan Jordan (May 03)