Re: Question about searching in packet headers

[Santosh Subramanya via Snort-sigs <snort-sigs () lists snort org>]

Hi Fedora,

Can you tell me what exactly are trying to match in TCP header, I can try at my end on one of the pcaps and provide you 
some ways we can do it.

Regards,
santosh

From: Fedor Niskov <fedor.niskov () ispras ru>
Sent: Monday, October 19, 2020 5:47 PM
To: Santosh Subramanya <Santosh.Subramanya () Sophos com>; snort-sigs () lists snort org
Subject: Re: [Snort-sigs] Question about searching in packet headers


Thank you for your advice; it seems to be a good idea, but unfortunately, when I try to do it, it doesn't work - 
'content' in an IP rule doesn't see bytes in TCP header. What version of Snort do you use (mine is 2.9.7.0)? Maybe some 
additional rule options are required?
18.10.2020 18:56, Santosh Subramanya пишет:
Hi Fedor,
To search in TCP header, you can use alert ip $EXTERNAL_NET instead of alert tcp EXTERNAL_NET.
By using ip instead of tcp, snort starts searching patterns mention in signature from ip header.
I hope this helps.
Regards,
Santosh
Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org><mailto:snort-sigs-bounces () lists snort org> on behalf of 
Fedor Niskov via Snort-sigs <snort-sigs () lists snort org><mailto:snort-sigs () lists snort org>
Sent: Sunday, October 18, 2020 12:16:24 AM
To: snort-sigs () lists snort org<mailto:snort-sigs () lists snort org> <snort-sigs () lists snort 
org><mailto:snort-sigs () lists snort org>
Subject: [Snort-sigs] Question about searching in packet headers

Hello, excuse me, I have a question about Snort rules: can I do search in packet headers? I know about the 'content' 
option, but it performs searching only in payload; however, I'd like to check presence of some byte sequences in 
headers.

It would be useful to search in headers; for instance, I need to check some TCP options, but Snort non-payload rule 
options don't support it; if I could search for specific bytes in TCP header, I would be able to perform these checks.

(Fedor Niskov)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

________________________________

Sophos Technologies Private Limited Regd. Office: Sophos House, Saigulshan Complex, Beside White House, Panchvati Cross 
Road, Ahmedabad - 380006, Gujarat, India CIN: U72200GJ2006PTC047857

Sophos Ltd, a company registered in England and Wales number 2096520, The Pentagon, Abingdon Science Park, Abingdon, 
OX14 3YP, United Kingdom.

________________________________

Sophos Technologies Private Limited Regd. Office: Sophos House, Saigulshan Complex, Beside White House, Panchvati Cross 
Road, Ahmedabad - 380006, Gujarat, India CIN: U72200GJ2006PTC047857

Sophos Ltd, a company registered in England and Wales number 2096520, The Pentagon, Abingdon Science Park, Abingdon, 
OX14 3YP, United Kingdom.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!