Snort mailing list archives

Re: Detection of hex pattern given directly in a TCP header

From: Patrick Mullen <pmullen () sourcefire com>
Date: Mon, 16 Oct 2017 17:22:17 -0400

If you are handy with C, you can also write a shared object rule to access
that data.

The file os-windows_ms-windows-tcp-mss.c, available in the rule pack,
accesses the TCP options and does some value validation.  You may also
find server-other_openssl-dtls-hs-fragment.c helpful, but both of these are
not simple SO Rules and sorry but I cannot go through and explain them.
But if you're comfortable programming C, they should give you some pointers
in the right direction.


Thanks,

~Patrick


On Thu, Oct 12, 2017 at 7:07 PM, ustas <ustas () ispras ru> wrote:

Hello Russ,

I think detection of the particular values is what i need, so it would be
great if you help me get appropriate rule options.

Best Regards, Ustas.

Russ писал 2017-10-13 00:44:

If you are looking for particular values instead of specific

conditions that the preprocessor may detect, I can help you get rule
options running for Snort++.

On 10/12/17 4:55 PM, rmkml wrote:

Try stream5 preproc with detect_anomalies enabled,

Could you share a pcap for testing ?

Best Regards
@Rmkml

On Thu, 12 Oct 2017, Yury Markin wrote:

Rmkml, thank you for the answer!

I want to detect packets with certain values of TCP options, e.g.
packets with max segment size (1000) and window scale (0). It would be
great if you can advise how this scenario may be implemented.

Best wishes, Ustas.

Чт 12.10.2017 20:34, rmkml пишет:
      Hi Ustas,

      Yes you are right, is not possible to detect content on tcp
header,

      but could you describe more what you want to detect exactly on
tcp header please ?

      Best Regards
      @Rmkml

      On Thu, 12 Oct 2017, Маркин Юрий Витальевич wrote:

            Hello,

            I'm trying to create the Snort rule for detection hex
pattern given
            directly (like "|0a 01 0f 03|") in a TCP header (or IP
payload). As far
            as I know 'content' keyword can not help me because it is
used to search
            hex pattern in a transport layer protocol payload, but not
in the
            payload of network layer protocol. I tried to use 'offset'
keyword with
            a negative value to "move" a cursor to the left of the TCP
payload, but
            this method has failed.

            Is it possible for Snort to detect hex pattern in a TCP
header?

            Thanks in advance.


            _______________________________________________
            Snort-sigs mailing list
            Snort-sigs () lists snort org
            https://lists.snort.org/mailman/listinfo/snort-sigs

            http://www.snort.org

            Please visit http://blog.snort.org for the latest news
about Snort!

            Visit the Snort.org to subscribe to the official Snort
ruleset, make sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




_______________________________________________

Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make
sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________

Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




-- 
Patrick Mullen
Response Research Manager
Cisco TALOS

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Detection of hex pattern given directly in a TCP header Маркин Юрий Витальевич (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
  - Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header Patrick Mullen (Oct 16)
    - Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 24)
    - Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)