Snort mailing list archives
Re: Question about content
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 01 Dec 2009 10:53:46 -0600
Speaking of rocks and glass houses, you really should read before responding to someone. The OP asked "I want to detect the last word in the content for exemple if I have this bytes: ....1245643577AAAA how can I verify that it contains "AAAA" at the end without knowing the total size of bytes" Your rule assumes the content is 4 bytes in. It also assumes that the content will come in a GET request using the protocol http, none of which the OP specified. Now, tell us how you could detect the last_four_bytes in *any* packet. Maybe then you'll get an A for more than effort and help the OP with his homework in the process. As it is, you've earned him a failing grade for not reading the assignment correctly. I'll give you a hint. Since the question doesn't specify protocol *or* directionality, you would start with: alert ip any any -> any any. The rest is left as an exercise for the reader. If you can answer the question "how can I know how many bytes there are in a packet", you're halfway there. --On Tuesday, December 01, 2009 08:47:57 -0600 evilghost () packetmail net wrote:
...1245643577AAAAhow can I verify that it contains "AAAA"Making assumptions about direction, protocol, and content I would try something like this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AAAA detected"; flow:established,to_server; content:"GET "; depth:4; content:"AAAA"; pcre:"/\d+AAAA$/"; classtype:suspicious-activity; sid:20091201; rev:1;) As it stands the signature is costly but you would need to supply additional criteria for us to narrow it down. For example, are you looking in the uribuffer or http_headers? Content body? What layer 7 protocol? Any other identifying factors that could add to the precision? Note - SourceFire shouldn't be allowed to interface with the public, especially if the responses are accusatory in nature. Some of the quality in VRT signatures I've seen make me laugh when they respond like they do here. It's always funny to watch the baboons throwing rocks from their glass houses. Matt Olney wrote:Yep...but I'm feeling uber generous this morning, so I'll give you a tip: PCRE$ On Tue, Dec 1, 2009 at 8:33 AM, Nigel Houghton <nhoughton () sourcefire com> wrote:On Tue, Dec 1, 2009 at 4:11 AM, sofia insat <sofia.insat () yahoo fr> wrote:Hi, I want to detect the last word in the content for exemple if I have this bytes: ....1245643577AAAA how can I verify that it contains "AAAA" at the end without knowing the total size of bytes -------------------------------------------------------------------------- ---- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigsAgain, this looks like a homework assignment. This list is not the place for homework questions. The answers you seek can be found in the Snort manual and the associated README files in the Snort tarball. You need to do some work and read the documentation. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ --------------------------------------------------------------------------- --- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs---------------------------------------------------------------------------- -- Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Question about content sofia insat (Dec 01)
- Re: Question about content Nigel Houghton (Dec 01)
- Re: Question about content Matt Olney (Dec 01)
- Re: Question about content evilghost () packetmail net (Dec 01)
- Re: Question about content Nigel Houghton (Dec 01)
- Re: Question about content Chris Jacob (Dec 01)
- Re: Question about content Matt Olney (Dec 01)
- Re: Question about content evilghost () packetmail net (Dec 01)
- Re: Question about content Alex Kirk (Dec 01)
- Re: Question about content Matt Olney (Dec 01)
- Re: Question about content Paul Schmehl (Dec 01)
- Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)
- Re: [AUTO IP] Re: Question about content Paul Schmehl (Dec 01)
- Re: [AUTO IP] Re: Question about content Matt Olney (Dec 01)
- Re: [AUTO IP] Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)
- Re: Question about content Nigel Houghton (Dec 01)