Snort mailing list archives
Re: Detection of hex pattern given directly in a TCP header
From: Russ via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 12 Oct 2017 17:44:15 -0400
If you are looking for particular values instead of specific conditions that the preprocessor may detect, I can help you get rule options running for Snort++.
On 10/12/17 4:55 PM, rmkml wrote:
Try stream5 preproc with detect_anomalies enabled, Could you share a pcap for testing ? Best Regards @Rmkml On Thu, 12 Oct 2017, Yury Markin wrote:Rmkml, thank you for the answer!I want to detect packets with certain values of TCP options, e.g. packets with max segment size (1000) and window scale (0). It would be great if you can advise how this scenario may be implemented.Best wishes, Ustas. Чт 12.10.2017 20:34, rmkml пишет: Hi Ustas,Yes you are right, is not possible to detect content on tcp header,but could you describe more what you want to detect exactly on tcp header please ?Best Regards @Rmkml On Thu, 12 Oct 2017, Маркин Юрий Витальевич wrote: Hello,I'm trying to create the Snort rule for detection hex pattern given directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far as I know 'content' keyword can not help me because it is used to search hex pattern in a transport layer protocol payload, but not in the payload of network layer protocol. I tried to use 'offset' keyword with a negative value to "move" a cursor to the left of the TCP payload, butthis method has failed.Is it possible for Snort to detect hex pattern in a TCP header?Thanks in advance. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.orgPlease visit http://blog.snort.org for the latest news about Snort!Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Detection of hex pattern given directly in a TCP header Маркин Юрий Витальевич (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Patrick Mullen (Oct 16)
- Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 24)
- Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)