RE: offset help.

["larosa, vjay" <larosa_vjay () emc com>]

Hello Everybody,
 
I posted this message yesterday and did some more fooling around with the
offset keyword but still no luck. Does anybody know if the offset and depth
keywords are specified in hex or decimal?
 
Thanks!
 
vjl
 
-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay () emc com] 
Sent: Wednesday, June 18, 2003 4:28 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] offset help.
 
Hello,
 
I have been killing myself all afternoon trying to get a rule to work using
the offset and depth keywords.
If I am trying to match the pattern 07 00 00 00 in this is the packet with
the following rule. Can anybody tell me what I am doing wrong with the depth
and offset keywords? 
 
Thanks!
 
vjl
 
alert tcp any any -> any 139 (msg:"File Write to Win 2K Startup folder.";
flow:to_server,established
; content:"|ff 53 4d 42 a2|"; depth:48; content:"|5c
00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|s|00
| |00|a|00|n|00|d|00| |00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00 5c 00|";
content:"|5c 00|S|00|t|00
|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5c
00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5c 00|S|00|t|
00|a|00|r|00|t|00|u|00|p|00 5c 00|"; content:"|3a 00 24
00|D|00|A|00|T|00|A|00|"; content:"|07 00 00
 00|"; offset:121; depth: 8; classtype:misc-activity; rev:1;)
 
06/18-14:36:46.956661 128.221.20.13:1499 -> 128.221.20.34:139
TCP TTL:128 TOS:0x0 ID:33861 IpLen:20 DgmLen:354 DF
***AP*** Seq: 0x8A6230AB  Ack: 0xADE3E800  Win: 0xFDFF  TcpLen: 20
0x0000: 00 06 5B 04 18 A6 00 0B DB 19 79 AD 08 00 45 00  ..[.......y...E.
0x0010: 01 62 84 45 40 00 80 06 4B 67 80 DD 14 0D 80 DD  .b.E ()    Kg......
0x0020: 14 22 05 DB 00 8B 8A 62 30 AB AD E3 E8 00 50 18  .".....b0.....P.
0x0030: FD FF 84 12 00 00 00 00 01 36 FF 53 4D 42 A2 00  .........6.SMB..
0x0040: 00 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00  ................
0x0050: 00 00 02 70 AC 0A 03 D0 43 5C 18 FF 00 DE DE 00  ...p....C\......
0x0060: E0 00 16 00 00 00 00 00 00 00 89 00 02 00 00 00  ................
0x0070: 00 00 00 00 00 00 80 00 00 00 07 00 00 00 01 00  ................
0x0080: 00 00 00 00 00 00 02 00 00 00 00 E3 00 00 5C 00  ..............\.
0x0090: 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00  D.o.c.u.m.e.n.t.
0x00A0: 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00  s. .a.n.d. .S.e.
0x00B0: 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00  t.t.i.n.g.s.\.A.
0x00C0: 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00  d.m.i.n.i.s.t.r.
0x00D0: 61 00 74 00 6F 00 72 00 5C 00 53 00 74 00 61 00  a.t.o.r.\.S.t.a.
0x00E0: 72 00 74 00 20 00 4D 00 65 00 6E 00 75 00 5C 00  r.t. .M.e.n.u.\.
0x00F0: 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 73 00  P.r.o.g.r.a.m.s.
0x0100: 5C 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00  \.S.t.a.r.t.u.p.
0x0110: 5C 00 45 00 46 00 4C 00 48 00 33 00 30 00 31 00  \.E.F.L.H.3.0.1.
0x0120: 31 00 2E 00 50 00 50 00 44 00 3A 00 05 00 52 00  1...P.P.D.:...R.
0x0130: 61 00 65 00 63 00 32 00 35 00 70 00 68 00 34 00  a.e.c.2.5.p.h.4.
0x0140: 73 00 75 00 64 00 62 00 66 00 30 00 68 00 41 00  s.u.d.b.f.0.h.A.
0x0150: 61 00 71 00 35 00 65 00 68 00 77 00 33 00 4E 00  a.q.5.e.h.w.3.N.
0x0160: 66 00 3A 00 24 00 44 00 41 00 54 00 41 00 00 00  f.:.$.D.A.T.A...
 
V.Jay LaRosa                   EMC Corporation
Information Security          4400 Computer Dr.
(508)898-7433 Office       Westboro, MA 01580
(508)353-1348 Cell           www.emc.com <http://www.emc.com> 
888-799-9750 Pager         vjl () emc com