Snort mailing list archives
Re: Feature request: isdataat ability in specific (preprocessor) buffers
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 24 Oct 2013 08:21:37 -0400
:) Yes. But all of that is part of something bigger. It'll all come together. You can kinda trick http_uri/isdataat with a urilen. Not the same thing, but if used properly can have the same effect. Sent from my iPhone
On Oct 24, 2013, at 7:08, Joshua Kinard <kumba () gentoo org> wrote:On 10/18/2013 10:14 AM, Bad Horse wrote: Sure, the one I didn't see working was http_uri. I assumed that the other buffers for the http_inspect preprocessor didn't work for "isdataat" as well and if the "http_*" buffers weren't able to be used for "isdataat", I figured that the other preprocessor buffers weren't recognized too. Tested on Snort 2.9.1 and Snort 2.9.3.The http_* keywords, except http_encode, are not themselves stand-alone keywords. They're modifiers to the previous content keyword (same as nocase, the positional modifiers, rawbytes, etc). This is why you can't use them in conjunction w/ isdataat, and also why they have to go *after* a content keyword. Per my last message, I think this is going to be fixed by converting the http_* modifier keywords into "sticky buffers", so instead of this construct: content:"/foo.php?id=42"; http_uri; fast_pattern:only; You would write this instead: http_uri_data; content:"/foo.php?id=42"; fast_pattern:only; And thus, you can then use isdataat like so: http_uri_data; isdataat:42; content:"&bar=1729"; pkt_data; <other checks> You can kinda see this in action in the SIP preprocessor's keywords, sip_header and sip_body. You have to use those before performing any payload checks so that you're in the correct buffer. Basically, when you currently use an http_* modifier, Snort temporarily flips its internal pointer to the specified http buffer, performs the content check, then flips back to the normal payload buffer. W/ the changeover to these sticky buffers, you have to specifically switch to an http buffer, perform whatever payload check you desire, THEN switch back to the normal buffer via the pkt_data keyword (assuming you have additional checks to perform there). It'll require a bit more thinking on the part of the rule writer to know which buffer they want to be in when they perform a specific check, but it opens up more flexibility as well. Now, if we can just get some sticky buffers for SMTP and DNS, that'd be sweeeeet. -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 23)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 23)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 23)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joshua Kinard (Oct 24)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joshua Kinard (Oct 24)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 24)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers L0rd Ch0de1m0rt (Nov 06)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Nov 07)