Re: Issue with byte_test and bitmask

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

Hello,

I think you are missing the last part. From the manual for bitmask:

"Applies the AND operator on the bytes converted. The result will be right-shifted by the number of bits equal to the 
number of trailing zeros in the mask.”

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004531000000000000000


So in your case the result will be shifted right 3 zeros resulting in the number 7 which is what you should be matching 
on.

Attached is a test.

In packets 1 and 3 the values are 0x38 and 0x3a. Doing the AND results in a match for both.

In packets 2 and 4 the values are 0x49 and 0x37. Doing the AND results in a non match for both.


[alewis@cliffjumper snort-2.9.9.0-released]$ ./bin/snort -c etc/torres.conf -r /tmp/TRASH.pcap -Aconsole:test -q -k none
1 1 1 0
3 1 1 0
[alewis@cliffjumper snort-2.9.9.0-released]$ cat etc/torres.conf | grep alert
alert udp any any -> any 53 (msg:"TEST for 0x38"; byte_test:1,=,0x07,0,bitmask 0xF8; sid:1; )


Try this out and let us know how it goes.

Thanks!


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of 
Damian Torres via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Reply-To: Damian Torres <datorr2 () gmail com<mailto:datorr2 () gmail com>>
Date: Wednesday, September 27, 2017 at 6:04 PM
To: Snort-Sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] Issue with byte_test and bitmask

Greetings.


I've been working on some rules that involve byte_test and although I've been able to flesh some of them out, I'm 
banging my head against the wall with one in particular.  Here is what I'm currently working on:

alert udp any any -> any 53 (msg:"OpenVPN_P_CONTROL_HARD_RESET_CLIENT_V2"; byte_test:1,=,0x38,0,bitmask 0xF8; 
classtype:not-suspicious; sid:1; rev:1;)

The byte that I am trying to test against is the very first byte in the beginning of the payload (right after the UDP 
header), byte 0.  Much like DNS, this byte contains multiple values.  In this case, this contains two values for the 
protocol.  The first five bits corresponds to an opcode, and the last three bits corresponds to a key value.  So with 
0x38, we have:

0011 1000

The first five bits have to be:

0011 1XXX - opcode of 7

I am trying to write the signature to fire regardless of what the last 3 bits are (any key) as long as the opcode is 7. 
 To do this, I tried:

byte_test:1,=,0x38,0;  -- This works if the opcode is 7 and the key is 0.
byte_test:1,=,0x38,0,bitmask 0xF8 -- This doesn't work at all.
byte_test:1,!&,0xc7,0; -- This fires on multiple opcodes.

My understand is that with the "bitmask 0xF8" option, it should do a bitwise AND operation using 0xF8 before evaluating 
the equality portion of the byte_test, which should drop off the last 3 bits and keep the first 5 bits exactly and then 
making sure they equal 0x38, but for some reason, it doesn't work


I am testing this using Snort v2.9.9.0 GRE (Build 56) compiled from source.

Any assistance would be greatly appreciated.


Warm Regards,

Damian Torres

Attachment: torres.conf
Description: torres.conf

Attachment: torres.pcap
Description: torres.pcap

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!