Re: [PATCH 1/5]: byte_test: support bitwise OR

[<Joshua.Kinard () us-cert gov>]

Yeah, I was pondering for a bit whether bitwise OR was even necessary, but couldn't think of anything.  Then thought, 
"well, we have AND and XOR, so why not OR?".  I figured one of your guys might have already considered it by now.  
Thanks for the feedback!

The 'mask' idea simply extends byte_test's '&' operator to byte_jump and byte_extract.  Kinda got the idea from the 
below VRT blog and found out its usefulness w/ the compression pointer in DNS:
http://vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html


Also, it looks like (maybe?) dcerpc2's implementation of byte_extract is incomplete.  I know byte_jump and byte_extract 
share a lot of the same option fields, so maybe a lot of the code is merged and I just missed the bit that does one or 
the other.  Has anyone looked at a better way to "override" rule options other than duplicating a lot of the code, as 
is the case w/ dcerpc2 and the three byte manipulation options?  The parsing code at least appears to be much more 
robust in dcerpc2's implementations.

Thanks!,

--J
 

-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] 
Sent: Tuesday, May 03, 2011 3:23 PM
To: Kinard, Joshua A
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] [PATCH 1/5]: byte_test: support bitwise OR

Hi Joshua,

I'm in the process of reviewing your patches now, but I figured I'd respond to this one early. I should be responding 
to your other emails by today or tomorrow.

The attached patch does work as advertised, but using a bitwise OR in a byte_test option doesn't actually detect 
anything. The byte_test option works by applying an operation, then checking for a non-zero result. In the case of 
bitwise OR, any non-zero "value" parameter will always cause the option to match regardless of packet data.

I nearly added this myself in Snort 2.8.5, until I sat and thought about actual use cases. :)

Good call on the error in the manual. We'll make sure that gets fixed.

Thanks,
Ryan

On Fri, Apr 29, 2011 at 12:41 AM,  <Joshua.Kinard () us-cert gov> wrote:
> Hi snort-devel,
>
> The attached patch adds bitwise OR support for byte_test.  Bitwise AND 
> and bitwise XOR is already supported**, thus I figure bitwise OR can't 
> hurt.  I cannot yet think of a use for it, but I'm sure someone out 
> there has pondered it.
>
> Note: The manual calls bitwise XOR "OR".  This is fixed in a follow-on 
> patch to the manual.
>
> Note: Please double check-this for accuracy.  There appears to be a 
> fair bit of duplicated code in Snort, so I hope I hit all the right places.
> A patch specific to dcerpc2 will follow for this feature and a few 
> others.
>
>
> Cheers!,
>
> --J
>
> ----------------------------------------------------------------------
> -------- WhatsUp Gold - Download Free Network Management Software The 
> most intuitive, comprehensive, and cost-effective network management 
> toolset available today.  Delivers lowest initial acquisition cost and 
> overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel