Re: Quick question about byte_test

[Nathan Benson <nathan () sourcefire com>]

Hi Jeff,

If I understand your question correctly, the relative position of the
cursor will be immediately *after *the bytes you read in using
byte_extract.  Simply, byte_extract *does* move the cursor where byte_test
does not.

I'll give you an example:

$ ruby -e 'print "\x00\x01\x02\x03\x04"' > test.dat

$ file2pcap test.dat test.pcap

$ cat local.rules
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
   msg:"TEST byte_test and byte_extract"; \
   flow:to_client,established; \
   file_data; \

   # Reads in bytes 00 01 and leaves cursor right after 01:
   byte_extract:2,0,first_two_bytes; \

   # Now we test to see if the next byte is 0x02 relative, with 0 offset:
   byte_test:1,=,0x2,0,relative; \

   # Test one byte offset from the current byte, which should be 0x03:
   byte_test:1,=,0x3,1,relative; \

   # Make sure the second set of bytes are larger than the first_two_bytes.
   byte_test:2,>,first_two_bytes,0,relative; \

   metadata:service http; \
   classtype:misc-activity; \
   sid:100000; rev:1; \
)

The alert from Snort:

##### test.pcap #####
[1:100000:1] TEST byte_test and byte_extract (alerts: 1) (reassembled)
#####


To address the second part of your question, you can plainly see that
byte_extract will work fine with no content matches.  However, and this is
a *big however, *the rule that I provided above is a really, really, bad
idea to put into production.  Especially, on something like $HTTP_PORTS.

The problem lies in there is no content match.  So the above rule will
enter on *everything *on $HTTP_PORTS*, *do it's checks and bail (or alert).
 As you can imagine this is terrible for performance.  So, having something
like this on a high traffic network/port is bad juju.

I hope this helps.

nb


On Tue, Feb 12, 2013 at 2:49 PM, Jeffrey Stebelton
<jstebelton () netjets com>wrote:

>  When byte_test follows byte_extract, does a relative offset start after
> the number of bytes put into the variable in byte_extract or a previous
> content match before the byte_extract? And if it’s the latter, then there
> would have to be at least one content match before the byte_extract?****
>
> ** **
>
> Jeff ****
>
> ** **
>
> *** *** ***
> This message contains information which may be confidential and privileged. Unless you are the addressee (or 
> authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information 
> contained in the message. If you have received the message in error,  please advise the sender by reply e-mail and 
> delete the message.
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!