Snort mailing list archives
Re: Question on the relationship between byte_jump and content options
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Wed, 24 Jun 2015 09:18:00 -0400
Byte_jump is not a content modifier but a standalone operation that moves the cursor (or point of inspection) this way a rule can skip over a record whose length we can read in the data. In the above example, we find a content match, read 2 bytes and jump that number of bytes from where the content was found, then we look for 3 static bytes right after where we land. hope this helps. Alex McDonnell TALOS On Wed, Jun 24, 2015 at 8:57 AM, Tyler Smith <tyler.smith () adventiumlabs com> wrote:
Is the behavior of the ‘content' option affected by ‘byte_jump' options before or after it in a rule? The content manual page doesn’t list byte_jump as one of the available content modifiers, but some rules (e.g., sid 30777) appear to be written with an assumption that different content will be found following a byte_jump: LEFT RULE: alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt”; flow:to_client,established; content:"|16 03 00|”; byte_jump:2,0,relative; content:"|18 03 00|”; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:3;) Thanks, Tyler P.S. Documentation I’m referring to: http://manual.snort.org/node32.html#SECTION00451300000000000000 ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question on the relationship between byte_jump and content options Tyler Smith (Jun 24)
- Re: Question on the relationship between byte_jump and content options Alex McDonnell (Jun 24)
- Re: Question on the relationship between byte_jump and content options Tyler Smith (Jun 24)
- Re: Question on the relationship between byte_jump and content options Alex McDonnell (Jun 24)
- Re: Question on the relationship between byte_jump and content options Tyler Smith (Jun 24)
- Re: Question on the relationship between byte_jump and content options Alex McDonnell (Jun 24)