Re: Question about content

[Paul Schmehl <pschmehl_lists () tx rr com>]

Speaking of rocks and glass houses, you really should read before responding to 
someone.

The OP asked "I want to detect the last word in the content
for exemple if I have this bytes: ....1245643577AAAA
how can I verify that it contains "AAAA" at the end without knowing the total 
size of bytes"

Your rule assumes the content is 4 bytes in.  It also assumes that the content 
will come in a GET request using the protocol http, none of which the OP 
specified.

Now, tell us how you could detect the last_four_bytes in *any* packet.  Maybe 
then you'll get an A for more than effort and help the OP with his homework in 
the process.  As it is, you've earned him a failing grade for not reading the 
assignment correctly.

I'll give you a hint.  Since the question doesn't specify protocol *or* 
directionality, you would start with:

alert ip any any -> any any.

The rest is left as an exercise for the reader.  If you can answer the question 
"how can I know how many bytes there are in a packet", you're halfway there.

--On Tuesday, December 01, 2009 08:47:57 -0600 evilghost () packetmail net wrote:

> ...1245643577AAAA
> > > how can I verify that it contains "AAAA"
>
> Making assumptions about direction, protocol, and content I would try
> something like this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AAAA detected";
> flow:established,to_server; content:"GET "; depth:4; content:"AAAA";
> pcre:"/\d+AAAA$/"; classtype:suspicious-activity; sid:20091201; rev:1;)
>
> As it stands the signature is costly but you would need to supply additional
> criteria for us to narrow it down.  For example, are you looking in the
> uribuffer or http_headers?  Content body?  What layer 7 protocol?  Any other
> identifying factors that could add to the precision?
>
> Note - SourceFire shouldn't be allowed to interface with the public,
> especially if the responses are accusatory in nature.  Some of the quality in
> VRT signatures I've seen make me laugh when they respond like they do here.
> It's always funny to watch the baboons throwing rocks from their glass houses.
>
>
> Matt Olney wrote:
> > Yep...but I'm feeling uber generous this morning, so I'll give you a tip:
> >
> > PCRE$
> >
> > On Tue, Dec 1, 2009 at 8:33 AM, Nigel Houghton <nhoughton () sourcefire com>
> > wrote:
> >
> > > On Tue, Dec 1, 2009 at 4:11 AM, sofia insat <sofia.insat () yahoo fr> wrote:
> > >
> > > > Hi,
> > > >
> > > > I want to detect the last word in the content
> > > > for exemple if I have this bytes: ....1245643577AAAA
> > > > how can I verify that it contains "AAAA" at the end without knowing the
> > > > total size of bytes
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------------------
> > > > ---- Join us December 9, 2009 for the Red Hat Virtual Experience,
> > > > a free event focused on virtualization and cloud computing.
> > > > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > > > http://p.sf.net/sfu/redhat-sfdev2dev
> > > > _______________________________________________
> > > > Snort-sigs mailing list
> > > > Snort-sigs () lists sourceforge net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > Again, this looks like a homework assignment. This list is not the
> > > place for homework questions.
> > >
> > > The answers you seek can be found in the Snort manual and the
> > > associated README files in the Snort tarball. You need to do some work
> > > and read the documentation.
> > >
> > > --
> > > Nigel Houghton
> > > Head Mentalist
> > > SF VRT
> > > http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
> > >
> > > ---------------------------------------------------------------------------
> > > --- Join us December 9, 2009 for the Red Hat Virtual Experience,
> > > a free event focused on virtualization and cloud computing.
> > > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > > http://p.sf.net/sfu/redhat-sfdev2dev
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > ----------------------------------------------------------------------------
> > -- Join us December 9, 2009 for the Red Hat Virtual Experience,
> > a free event focused on virtualization and cloud computing.
> > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > http://p.sf.net/sfu/redhat-sfdev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs