Snort mailing list archives

Previous By Date Next
Previous By Thread Next

offset help.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 18 Jun 2003 16:27:59 -0400
Hello,
 
I have been killing myself all afternoon trying to get a rule to work using
the offset and depth keywords.
If I am trying to match the pattern 07 00 00 00 in this is the packet with
the following rule. Can anybody tell me what I am doing wrong with the depth
and offset keywords? 
 
Thanks!
 
vjl
 
alert tcp any any -> any 139 (msg:"File Write to Win 2K Startup folder.";
flow:to_server,established
; content:"|ff 53 4d 42 a2|"; depth:48; content:"|5c
00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|s|00
| |00|a|00|n|00|d|00| |00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00 5c 00|";
content:"|5c 00|S|00|t|00
|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5c
00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5c 00|S|00|t|
00|a|00|r|00|t|00|u|00|p|00 5c 00|"; content:"|3a 00 24
00|D|00|A|00|T|00|A|00|"; content:"|07 00 00
 00|"; offset:121; depth: 8; classtype:misc-activity; rev:1;)
 
06/18-14:36:46.956661 128.221.20.13:1499 -> 128.221.20.34:139
TCP TTL:128 TOS:0x0 ID:33861 IpLen:20 DgmLen:354 DF
***AP*** Seq: 0x8A6230AB  Ack: 0xADE3E800  Win: 0xFDFF  TcpLen: 20
0x0000: 00 06 5B 04 18 A6 00 0B DB 19 79 AD 08 00 45 00  ..[.......y...E.
0x0010: 01 62 84 45 40 00 80 06 4B 67 80 DD 14 0D 80 DD  .b.E ()    Kg......
0x0020: 14 22 05 DB 00 8B 8A 62 30 AB AD E3 E8 00 50 18  .".....b0.....P.
0x0030: FD FF 84 12 00 00 00 00 01 36 FF 53 4D 42 A2 00  .........6.SMB..
0x0040: 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 02 70 AC 0A 03 D0 43 5C 18 FF 00 DE DE 00  ...p....C\......
0x0060: E0 00 16 00 00 00 00 00 00 00 89 00 02 00 00 00  ................
0x0070: 00 00 00 00 00 00 80 00 00 00 07 00 00 00 01 00  ................
0x0080: 00 00 00 00 00 00 02 00 00 00 00 E3 00 00 5C 00  ..............\.
0x0090: 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00  D.o.c.u.m.e.n.t.
0x00A0: 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00  s. .a.n.d. .S.e.
0x00B0: 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00  t.t.i.n.g.s.\.A.
0x00C0: 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00  d.m.i.n.i.s.t.r.
0x00D0: 61 00 74 00 6F 00 72 00 5C 00 53 00 74 00 61 00  a.t.o.r.\.S.t.a.
0x00E0: 72 00 74 00 20 00 4D 00 65 00 6E 00 75 00 5C 00  r.t. .M.e.n.u.\.
0x00F0: 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 73 00  P.r.o.g.r.a.m.s.
0x0100: 5C 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00  \.S.t.a.r.t.u.p.
0x0110: 5C 00 45 00 46 00 4C 00 48 00 33 00 30 00 31 00  \.E.F.L.H.3.0.1.
0x0120: 31 00 2E 00 50 00 50 00 44 00 3A 00 05 00 52 00  1...P.P.D.:...R.
0x0130: 61 00 65 00 63 00 32 00 35 00 70 00 68 00 34 00  a.e.c.2.5.p.h.4.
0x0140: 73 00 75 00 64 00 62 00 66 00 30 00 68 00 41 00  s.u.d.b.f.0.h.A.
0x0150: 61 00 71 00 35 00 65 00 68 00 77 00 33 00 4E 00  a.q.5.e.h.w.3.N.
0x0160: 66 00 3A 00 24 00 44 00 41 00 54 00 41 00 00 00  f.:.$.D.A.T.A...
 
V.Jay LaRosa                   EMC Corporation
Information Security          4400 Computer Dr.
(508)898-7433 Office       Westboro, MA 01580
(508)353-1348 Cell           www.emc.com <http://www.emc.com> 
888-799-9750 Pager         vjl () emc com
Previous By Date Next
Previous By Thread Next

Current thread: