Snort mailing list archives
Re: Issue with byte_test and bitmask
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 28 Sep 2017 12:09:37 +0000
Hello, I think you are missing the last part. From the manual for bitmask: "Applies the AND operator on the bytes converted. The result will be right-shifted by the number of bits equal to the number of trailing zeros in the mask.” http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004531000000000000000 So in your case the result will be shifted right 3 zeros resulting in the number 7 which is what you should be matching on. Attached is a test. In packets 1 and 3 the values are 0x38 and 0x3a. Doing the AND results in a match for both. In packets 2 and 4 the values are 0x49 and 0x37. Doing the AND results in a non match for both. [alewis@cliffjumper snort-2.9.9.0-released]$ ./bin/snort -c etc/torres.conf -r /tmp/TRASH.pcap -Aconsole:test -q -k none 1 1 1 0 3 1 1 0 [alewis@cliffjumper snort-2.9.9.0-released]$ cat etc/torres.conf | grep alert alert udp any any -> any 53 (msg:"TEST for 0x38"; byte_test:1,=,0x07,0,bitmask 0xF8; sid:1; ) Try this out and let us know how it goes. Thanks! Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of Damian Torres via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Reply-To: Damian Torres <datorr2 () gmail com<mailto:datorr2 () gmail com>> Date: Wednesday, September 27, 2017 at 6:04 PM To: Snort-Sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Subject: [Snort-sigs] Issue with byte_test and bitmask Greetings. I've been working on some rules that involve byte_test and although I've been able to flesh some of them out, I'm banging my head against the wall with one in particular. Here is what I'm currently working on: alert udp any any -> any 53 (msg:"OpenVPN_P_CONTROL_HARD_RESET_CLIENT_V2"; byte_test:1,=,0x38,0,bitmask 0xF8; classtype:not-suspicious; sid:1; rev:1;) The byte that I am trying to test against is the very first byte in the beginning of the payload (right after the UDP header), byte 0. Much like DNS, this byte contains multiple values. In this case, this contains two values for the protocol. The first five bits corresponds to an opcode, and the last three bits corresponds to a key value. So with 0x38, we have: 0011 1000 The first five bits have to be: 0011 1XXX - opcode of 7 I am trying to write the signature to fire regardless of what the last 3 bits are (any key) as long as the opcode is 7. To do this, I tried: byte_test:1,=,0x38,0; -- This works if the opcode is 7 and the key is 0. byte_test:1,=,0x38,0,bitmask 0xF8 -- This doesn't work at all. byte_test:1,!&,0xc7,0; -- This fires on multiple opcodes. My understand is that with the "bitmask 0xF8" option, it should do a bitwise AND operation using 0xF8 before evaluating the equality portion of the byte_test, which should drop off the last 3 bits and keep the first 5 bits exactly and then making sure they equal 0x38, but for some reason, it doesn't work I am testing this using Snort v2.9.9.0 GRE (Build 56) compiled from source. Any assistance would be greatly appreciated. Warm Regards, Damian Torres
Attachment:
torres.conf
Description: torres.conf
Attachment:
torres.pcap
Description: torres.pcap
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Issue with byte_test and bitmask Damian Torres via Snort-sigs (Sep 27)
- Re: Issue with byte_test and bitmask Al Lewis (allewi) via Snort-sigs (Sep 28)
- Re: Issue with byte_test and bitmask Damian Torres via Snort-sigs (Sep 29)
- Re: Issue with byte_test and bitmask Al Lewis (allewi) via Snort-sigs (Sep 28)