Snort mailing list archives
Re: Understanding byte_test
From: rmkml <rmkml () yahoo fr>
Date: Thu, 6 Oct 2011 23:53:14 +0200 (CEST)
Hi James, Im not sure if you are right, change on your byte_test "definition": ... sure it's greater than decimal 31 and start processing 58 bytes <= add: relative => into the payload, ... For me, on your rule, byte_test not match with your network trafic example. For work, change byte_test to 'byte_test:1,=,0,58,relative;' or 'content:"|00|"; within:1; distance:58;'. My idea: http reply content length are 1786540, this sid use 'distance:0', snort fire further your sample... Converted your sample to pcap file, joigned. comment: big on byte_test is not necessary here because it's only one byte. Regards Rmkml http://twitter.com/rmkml On Thu, 6 Oct 2011, Lay, James wrote:
So...I saw this today..here's the rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt "; flow:to_client,established; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,www.microsoft.com/technet/security/advisory/971778.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS09-028.mspx; classtype:attempted-user; sid:15517; rev:6;) If I'm understanding byte_test correctly, this says "test one byte, make sure it's greater than decimal 31 and start processing 58 bytes into the payload, but because our last match was stsd, start at packet 2c5". This then matches byte 2d0, since it's A0 yes? Or am I reading this way wrong? Thanks for any understanding you can shed. James WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt 209.161.5.216 -> bleh IPVer=4 hlen=5 tos=0 dlen=1440 ID=55752 flags=2 offset=0 ttl=60 chksum=32241 Protocol: 6 sport=80 -> dport=2915 Seq=2936503472 Ack=150666001 Off=5 Res=0 Flags=***A**** Win=6432 urp=63069 chksum=0 Payload: 000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 010 : 0A 44 61 74 65 3A 20 54 68 75 2C 20 30 36 20 4F .Date: Thu, 06 O 020 : 63 74 20 32 30 31 31 20 31 39 3A 30 37 3A 34 35 ct 2011 19:07:45 030 : 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap 040 : 61 63 68 65 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 ache..Last-Modif 050 : 69 65 64 3A 20 46 72 69 2C 20 33 30 20 53 65 70 ied: Fri, 30 Sep 060 : 20 32 30 31 31 20 31 39 3A 32 34 3A 35 39 20 47 2011 19:24:59 G 070 : 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 6E 67 65 MT..Accept-Range 080 : 73 3A 20 62 79 74 65 73 0D 0A 43 6F 6E 74 65 6E s: bytes..Conten 090 : 74 2D 4C 65 6E 67 74 68 3A 20 31 37 38 36 35 34 t-Length: 178654 0a0 : 30 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 0..Keep-Alive: t 0b0 : 69 6D 65 6F 75 74 3D 35 2C 20 6D 61 78 3D 31 30 imeout=5, max=10 0c0 : 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 0..Connection: K 0d0 : 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 eep-Alive..Conte 0e0 : 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 6C nt-Type: text/pl 0f0 : 61 69 6E 0D 0A 0D 0A 00 00 00 20 66 74 79 70 4D ain....... ftypM 100 : 34 56 50 00 00 00 01 4D 34 56 50 4D 34 41 20 6D 4VP....M4VPM4A m 110 : 70 34 32 69 73 6F 6D 00 00 15 63 6D 6F 6F 76 00 p42isom...cmoov. 120 : 00 00 6C 6D 76 68 64 00 00 00 00 CA AB C3 E3 CA ..lmvhd......... 130 : AB C3 E3 00 00 02 58 00 00 28 96 00 01 00 00 01 ......X..(...... 140 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 150 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ 160 : 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 ...........@.... 170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 180 : 00 00 00 00 00 00 00 00 00 00 03 00 00 0E BE 74 ...............t 190 : 72 61 6B 00 00 00 5C 74 6B 68 64 00 00 00 01 CA rak...\tkhd..... 1a0 : AB C3 CB CA AB C3 E3 00 00 00 01 00 00 00 00 00 ................ 1b0 : 00 28 96 00 00 00 00 00 00 00 00 00 00 00 00 00 .(.............. 1c0 : 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 1d0 : 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 1e0 : 00 00 00 40 00 00 00 01 E0 00 00 01 10 00 00 00 ...@............ 1f0 : 00 00 24 65 64 74 73 00 00 00 1C 65 6C 73 74 00 ..$edts....elst. 200 : 00 00 00 00 00 00 01 00 00 28 96 00 00 00 00 00 .........(...... 210 : 01 00 00 00 00 0E 36 6D 64 69 61 00 00 00 20 6D ......6mdia... m 220 : 64 68 64 00 00 00 00 CA AB C3 E3 CA AB C3 E3 00 dhd............. 230 : 00 0B B5 00 00 CA BC 15 C7 00 00 00 00 00 3A 68 ..............:h 240 : 64 6C 72 00 00 00 00 00 00 00 00 76 69 64 65 00 dlr........vide. 250 : 00 00 00 00 00 00 00 00 00 00 00 41 70 70 6C 65 ...........Apple 260 : 20 56 69 64 65 6F 20 4D 65 64 69 61 20 48 61 6E Video Media Han 270 : 64 6C 65 72 00 00 00 0D D4 6D 69 6E 66 00 00 00 dler.....minf... 280 : 14 76 6D 68 64 00 00 00 01 00 00 00 00 00 00 00 .vmhd........... 290 : 00 00 00 00 24 64 69 6E 66 00 00 00 1C 64 72 65 ....$dinf....dre 2a0 : 66 00 00 00 00 00 00 00 01 00 00 00 0C 75 72 6C f............url 2b0 : 20 00 00 00 01 00 00 0D 94 73 74 62 6C 00 00 00 ........stbl... 2c0 : B0 73 74 73 64 00 00 00 00 00 00 00 01 00 00 00 .stsd........... 2d0 : A0 61 76 63 31 00 00 00 00 00 00 00 01 00 00 00 .avc1........... 2e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 01 E0 01 ................ 2f0 : 10 00 48 00 00 00 48 00 00 00 00 00 00 00 01 00 ..H...H......... 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 310 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 320 : 18 FF FF 00 00 00 2E 61 76 63 43 01 42 E0 15 FF .......avcC.B... 330 : 01 00 17 27 42 E0 15 A9 18 3C 11 D8 03 50 60 10 ...'B....<...P`. 340 : 6B 6D E8 03 D2 03 D5 7B DF 01 01 00 04 28 DE 09 km.....{.....(.. 350 : 88 00 00 00 1C 75 75 69 64 6B 68 40 F2 5F 24 4F .....uuidkh@._$O 360 : C5 BA 39 A5 1B CF 03 23 F3 00 00 00 01 00 00 00 ..9....#........ 370 : 18 73 74 74 73 00 00 00 00 00 00 00 01 00 00 02 .stts........... 380 : 07 00 00 00 64 00 00 00 24 73 74 73 73 00 00 00 ....d...$stss... 390 : 00 00 00 00 05 00 00 00 01 00 00 00 79 00 00 00 ............y... 3a0 : F1 00 00 01 69 00 00 01 E1 00 00 03 4C 73 74 73 ....i.......Lsts 3b0 : 63 00 00 00 00 00 00 00 45 00 00 00 01 00 00 00 c.......E....... 3c0 : 09 00 00 00 01 00 00 00 02 00 00 00 06 00 00 00 ................ 3d0 : 01 00 00 00 03 00 00 00 09 00 00 00 01 00 00 00 ................ 3e0 : 04 00 00 00 06 00 00 00 01 00 00 00 05 00 00 00 ................ 3f0 : 09 00 00 00 01 00 00 00 06 00 00 00 06 00 00 00 ................ 400 : 01 00 00 00 07 00 00 00 09 00 00 00 01 00 00 00 ................ 410 : 08 00 00 00 06 00 00 00 01 00 00 00 09 00 00 00 ................ 420 : 09 00 00 00 01 00 00 00 0A 00 00 00 06 00 00 00 ................ 430 : 01 00 00 00 0B 00 00 00 09 00 00 00 01 00 00 00 ................ 440 : 0C 00 00 00 06 00 00 00 01 00 00 00 0D 00 00 00 ................ 450 : 09 00 00 00 01 00 00 00 0E 00 00 00 06 00 00 00 ................ 460 : 01 00 00 00 0F 00 00 00 09 00 00 00 01 00 00 00 ................ 470 : 10 00 00 00 06 00 00 00 01 00 00 00 11 00 00 00 ................ 480 : 09 00 00 00 01 00 00 00 12 00 00 00 06 00 00 00 ................ 490 : 01 00 00 00 13 00 00 00 09 00 00 00 01 00 00 00 ................ 4a0 : 14 00 00 00 06 00 00 00 01 00 00 00 15 00 00 00 ................ 4b0 : 09 00 00 00 01 00 00 00 16 00 00 00 06 00 00 00 ................ 4c0 : 01 00 00 00 17 00 00 00 09 00 00 00 01 00 00 00 ................ 4d0 : 18 00 00 00 06 00 00 00 01 00 00 00 19 00 00 00 ................ 4e0 : 09 00 00 00 01 00 00 00 1A 00 00 00 06 00 00 00 ................ 4f0 : 01 00 00 00 1B 00 00 00 09 00 00 00 01 00 00 00 ................ 500 : 1C 00 00 00 06 00 00 00 01 00 00 00 1D 00 00 00 ................ 510 : 09 00 00 00 01 00 00 00 1E 00 00 00 06 00 00 00 ................ 520 : 01 00 00 00 1F 00 00 00 09 00 00 00 01 00 00 00 ................ 530 : 20 00 00 00 06 00 00 00 01 00 00 00 21 00 00 00 ...........!... 540 : 09 00 00 00 01 00 00 00 22 00 00 00 06 00 00 00 ........"....... 550 : 01 00 00 00 23 00 00 00 09 00 00 00 01 00 00 00 ....#........... 560 : 24 00 00 00 06 00 00 00 01 00 00 00 25 00 00 00 $...........%... 570 : 09 00 00 00 01 00 00 00 ........
Attachment:
snortbytetest.pcap
Description:
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding byte_test Lay, James (Oct 06)
- Re: Understanding byte_test rmkml (Oct 06)