Snort mailing list archives

Re: Feature request: isdataat ability in specific (preprocessor) buffers

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 24 Oct 2013 08:21:37 -0400

:)

Yes. But all of that is part of something bigger.  It'll all come together. 

You can kinda trick http_uri/isdataat with a urilen. Not the same thing, but if used properly can have the same effect. 
 



Sent from my iPhone

On Oct 24, 2013, at 7:08, Joshua Kinard <kumba () gentoo org> wrote:

On 10/18/2013 10:14 AM, Bad Horse wrote:
Sure, the one I didn't see working was http_uri.  I assumed that the other
buffers for the http_inspect preprocessor didn't work for "isdataat" as
well and if the "http_*" buffers weren't able to be used for "isdataat", I
figured that the other preprocessor buffers weren't recognized too.  Tested
on Snort 2.9.1 and Snort 2.9.3.


The http_* keywords, except http_encode, are not themselves stand-alone
keywords.  They're modifiers to the previous content keyword (same as
nocase, the positional modifiers, rawbytes, etc).  This is why you can't use
them in conjunction w/ isdataat, and also why they have to go *after* a
content keyword.

Per my last message, I think this is going to be fixed by converting the
http_* modifier keywords into "sticky buffers", so instead of this construct:
content:"/foo.php?id=42"; http_uri; fast_pattern:only;

You would write this instead:
http_uri_data; content:"/foo.php?id=42"; fast_pattern:only;

And thus, you can then use isdataat like so:
http_uri_data; isdataat:42; content:"&bar=1729"; pkt_data; <other checks>

You can kinda see this in action in the SIP preprocessor's keywords,
sip_header and sip_body.  You have to use those before performing any
payload checks so that you're in the correct buffer.

Basically, when you currently use an http_* modifier, Snort temporarily
flips its internal pointer to the specified http buffer, performs the
content check, then flips back to the normal payload buffer.  W/ the
changeover to these sticky buffers, you have to specifically switch to an
http buffer, perform whatever payload check you desire, THEN switch back to
the normal buffer via the pkt_data keyword (assuming you have additional
checks to perform there).

It'll require a bit more thinking on the part of the rule writer to know
which buffer they want to be in when they perform a specific check, but it
opens up more flexibility as well.

Now, if we can just get some sticky buffers for SMTP and DNS, that'd be
sweeeeet.

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 18)
- Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 18)
  - Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 18)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 18)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 23)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 23)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Bad Horse (Oct 23)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Joshua Kinard (Oct 24)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Joshua Kinard (Oct 24)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Oct 24)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers L0rd Ch0de1m0rt (Nov 06)
    - Re: Feature request: isdataat ability in specific (preprocessor) buffers Joel Esler (Nov 07)