Re: [Snort-sigs] question about isdataat

[Joel Esler <eslerj () gmail com>]

2009/7/5 김무성 <kimms () infosec co kr>

>  this is description about isdataat option in snort manual.
>
>
>
>
>
> isdataat
>
> Verify that the payload has data at a specified location, optionally
> looking for data relative to the end of
>
> the previous content match.
>
>
>
> Format
>
> isdataat:<int>[,relative];
>
> Example
>
> alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative;
> content:!"|0a|"; distance:0;)
>
> This rule looks for the string PASS exists in the packet, then verifies
> there is at least 50 bytes after the end
>
> of the string PASS, then verifies that there is not a newline character
> within 50 bytes of the end of the PASS
>
> string.


This is just an example.


> so i tested.
>
>
>
> my test rule is this
>
>
>
> alert tcp any any -> any any (content:"kmsjlove"; nocase; depth:8;
> isdataat:50, relative; content:"|0a|"; distance:0;)

Look for "kmsjlove" no more than 8 bytes from the beginning of the packet,
then skip ahead 50 bytes, relative to the end of the previous content match,
which is "kmsjlove" and see if data is there.  Then, do a content match for
the hex string 0a, at a distance of 0 relative to the end of the previous
content match, which is "kmsjlove".


Does that help?

Isdataat is a "Read ahead" to see if data exists at some point (in
your case, 50, relative) in the packet.  Doesn't matter
what the data is, just as long as data exists.  Isdataat does not set
pointers.



-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users