Snort mailing list archives
Re: Quick question about byte_test
From: Nathan Benson <nathan () sourcefire com>
Date: Wed, 13 Feb 2013 13:29:39 -0500
Hi Jeff, If I understand your question correctly, the relative position of the cursor will be immediately *after *the bytes you read in using byte_extract. Simply, byte_extract *does* move the cursor where byte_test does not. I'll give you an example: $ ruby -e 'print "\x00\x01\x02\x03\x04"' > test.dat $ file2pcap test.dat test.pcap $ cat local.rules alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \ msg:"TEST byte_test and byte_extract"; \ flow:to_client,established; \ file_data; \ # Reads in bytes 00 01 and leaves cursor right after 01: byte_extract:2,0,first_two_bytes; \ # Now we test to see if the next byte is 0x02 relative, with 0 offset: byte_test:1,=,0x2,0,relative; \ # Test one byte offset from the current byte, which should be 0x03: byte_test:1,=,0x3,1,relative; \ # Make sure the second set of bytes are larger than the first_two_bytes. byte_test:2,>,first_two_bytes,0,relative; \ metadata:service http; \ classtype:misc-activity; \ sid:100000; rev:1; \ ) The alert from Snort: ##### test.pcap ##### [1:100000:1] TEST byte_test and byte_extract (alerts: 1) (reassembled) ##### To address the second part of your question, you can plainly see that byte_extract will work fine with no content matches. However, and this is a *big however, *the rule that I provided above is a really, really, bad idea to put into production. Especially, on something like $HTTP_PORTS. The problem lies in there is no content match. So the above rule will enter on *everything *on $HTTP_PORTS*, *do it's checks and bail (or alert). As you can imagine this is terrible for performance. So, having something like this on a high traffic network/port is bad juju. I hope this helps. nb On Tue, Feb 12, 2013 at 2:49 PM, Jeffrey Stebelton <jstebelton () netjets com>wrote:
When byte_test follows byte_extract, does a relative offset start after the number of bytes put into the variable in byte_extract or a previous content match before the byte_extract? And if it’s the latter, then there would have to be at least one content match before the byte_extract?**** ** ** Jeff **** ** ** *** *** *** This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick question about byte_test Jeffrey Stebelton (Feb 12)
- Re: Quick question about byte_test Nathan Benson (Feb 14)