Snort mailing list archives
Re: byte_test and relative
From: Todd Wease <twease () sourcefire com>
Date: Fri, 2 Nov 2012 13:09:37 -0400
On Fri, Nov 2, 2012 at 1:06 PM, Todd Wease <twease () sourcefire com> wrote:
On Fri, Oct 12, 2012 at 3:10 PM, Brandon Castel <bcastel () wurldtech com>wrote:Hi all, We've noticed that using byte_test doesn't seem to advance the relative pointer in the way we'd expect and were wondering if this was by design behavior or a bug (the docs don't discuss the relative concept in any depth as far as I can tell) Here's a contrived example of what we're noticing Against this (hex) data - 05 64 16 21 AB CD 11 22 CC CC AA A1 0D We write a rule with the following body (ignore for conversation's sake that we can write the 2nd and 3rd as contents and avoid this whole mess) Content:"|05 64|"; byte_test:1,>,7,0, relative; byte_test:2,=,0xABCD,2,relative; byte_test:1,=,0x0D,10, relative; This rule will fire, but notice that the offsets of the three byte_tests are are relative to 0x0564 and not each other. In the simple example that's not a big deal, its all fixed offsets so we can just adjust our numbers a bit and it all works out. The problem is when we'd like to do more complicated things, for example we have a signature we want to write which reads two variables from a packet at fixed offsets from the header, does a simple calculation on them (2a + b + 6) to find the offset of some bytes further down the packet. We had *hoped* to solve this by combining byte_extract and byte_test kind of like this: byte_extract:1,0,variableA,multiplier 2; byte_extract:1,4,variableB; byte_test:1, ^, 0xff, 6; byte_test:1, ^, 0xff, variableA; byte_test:4, >, 0xAABBCCDD, variableB; #our actual test goes here at relative offset variableB The idea being we're taking advantage of the fact that doing a logical OR with 0xff is always true so we force the relative pointer to where we want it in stages. We want 2A + B + 6, so we move it 6, then 2A then B Any thoughts (or alternative solutions) guys?byte_test doesn't increment the relative pointer. I think the following may work: byte_extract:1,5,variableB; byte_jump:1,-6,relative,multiplier 2,post_offset 11; byte_test:4,>,0xAABBCCDD,variableB;
I think the last one should have a relative flag: byte_test:4,>,0xAABBCCDD,variableB,relative;
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- byte_test and relative Brandon Castel (Oct 12)
- Re: byte_test and relative Todd Wease (Nov 02)
- Re: byte_test and relative Todd Wease (Nov 02)
- Re: byte_test and relative Brandon Castel (Nov 02)
- Re: byte_test and relative Todd Wease (Nov 02)
- Re: byte_test and relative Todd Wease (Nov 02)
- Re: byte_test and relative Todd Wease (Nov 02)