Snort mailing list archives
Re: Hello,
From: Rodrigo Borges Pereira <rodrigoborgespereira () gmail com>
Date: Fri, 22 Jul 2016 19:04:55 +0000
Hi Hui, Yes, that is not a problem and the rule does it. The problem is the right boundary of the filename, when a pcre is used. Rgds On Fri, 22 Jul 2016 at 19:53, Hui cao <huica () cisco com> wrote:
Hi Rgds, SMB header should have name offset, so you can extract the name offset && length and jump to the name data. Best, Hui. On 07/22/2016 02:44 PM, Joel Esler (jesler) wrote: Can you attach a pcap? A copy and paste doesn't work. -- Joel Esler iPhone On Jul 22, 2016, at 1:45 PM, Rodrigo Borges Pereira < rodrigoborgespereira () gmail com> wrote: Just to add that having the ability to somehow limit the depth of the PCRE, would make this really simple to achieve (at least in the way I'm trying it, of course :) Rgds On Fri, Jul 22, 2016 at 6:43 PM Rodrigo Borges Pereira < rodrigoborgespereira () gmail com> wrote:Hi Joel, Of course, I can give more details. I'm attempting to match exact filename on SMB2 0x05 Create Requests. I'm able to use byte-jumps in order to get to the beginning of the filename buffer. Then I can search from there. However, due to the way SMB2 sometimes are constructed, it's getting very difficult to achieve 100% accuracy, and in some cases I'm losing positives. Here's the current rule. For example, this one tries to match a filename just named "x", either in the root dir or inside a sub-dir. content: "|FE|SMB"; offset: 4; content: "|00 05|"; distance: 7; within: 2; byte_jump: 2, 8, from_beginning, little, post_offset +48; byte_jump: 2, 0, from_beginning, little, post_offset +4; content: "|00|"; distance: -1; pcre: "/^\x00(\x00x\x00|.*\x5c\x00x\x00)(\x00){0,8}\x28\x00\x00\x00\x10\x00\x04/R"; This works most of the time, because usually, after the filename buffer, you have an 8-byte 00 padding until |28 00 00 00 10 00 04| In some cases though, there's some different bytes in that padding, and couldn't find any information about that. when that happens, the rule does not match. Here's a printout of two example packets: UNDETECTED POSITIVE 0000 00 00 00 c0 fe 53 4d 42 40 00 01 00 00 00 00 00 .....SMB@....... 0010 05 00 01 00 00 00 00 00 00 00 00 00 3f 07 00 00 ............?... 0020 00 00 00 00 ff fe 00 00 d0 0d 81 18 b0 bd ba 2a ...............* 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 39 00 00 00 02 00 00 00 00 00 00 00 ....9........... 0050 00 00 00 00 00 00 00 00 00 00 00 00 80 00 01 00 ................ 0060 00 00 00 00 04 00 00 00 01 00 00 00 40 10 00 00 ............@... 0070 78 00 02 00 80 00 00 00 40 00 00 00 78 00 9e 6f x.......@...x..o 0080 23 e4 d1 01 28 00 00 00 10 00 04 00 00 00 18 00 #...(........... 0090 10 00 00 00 44 48 6e 51 00 00 00 00 00 00 00 00 ....DHnQ........ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 10 00 04 00 00 00 18 00 00 00 00 00 4d 78 41 63 ............MxAc 00c0 00 00 00 00 .... 0000 00 00 00 d8 fe 53 4d 42 40 00 01 00 00 00 00 00 .....SMB@....... 0010 05 00 01 00 00 00 00 00 00 00 00 00 3f 00 00 00 ............?... 0020 00 00 00 00 ff fe 00 00 df 9e 28 43 d8 19 30 16 ..........(C..0. 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 39 00 00 09 02 00 00 00 00 00 00 00 ....9........... 0050 00 00 00 00 00 00 00 00 00 00 00 00 9f 01 17 00 ................ 0060 20 00 00 00 00 00 00 00 02 00 00 00 44 00 00 00 ...........D... 0070 78 00 02 00 80 00 00 00 58 00 00 00 78 00 00 00 x.......X...x... 0080 00 00 00 00 28 00 00 00 10 00 04 00 00 00 18 00 ....(........... 0090 10 00 00 00 44 48 6e 51 00 00 00 00 00 00 00 00 ....DHnQ........ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 ................ 00b0 10 00 04 00 00 00 18 00 00 00 00 00 4d 78 41 63 ............MxAc 00c0 00 00 00 00 00 00 00 00 10 00 04 00 00 00 18 00 ................ 00d0 00 00 00 00 51 46 69 64 00 00 00 00 ....QFid.... Thanks!! On Fri, Jul 22, 2016 at 6:26 PM Joel Esler (jesler) <jesler () cisco com> wrote:You can't use a variable from a byte_extract within a pcre. We can probably help you with what you are trying to do, if you have a pcap and describe the problem. -- Joel Esler iPhone On Jul 22, 2016, at 1:24 PM, Rodrigo Borges Pereira < rodrigoborgespereira () gmail com> wrote: Is there a way to limit the depth of a pcre search? I can use byte_extract to get the length of a variable buffer to which the pcre expression should apply, but there doesn't seem to be an option to do this. Appreciate any hints. Rgds. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing listSnort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Joel Esler (jesler) (Jul 22)
- Re: Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Joel Esler (jesler) (Jul 22)
- Re: Hello, Hui cao (Jul 22)
- Re: Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Rodrigo Borges Pereira (Jul 22)
- Re: Hello, Joel Esler (jesler) (Jul 22)