Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [AUTO IP] Re: Question about content

From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 1 Dec 2009 11:46:04 -0600
Paul, since you failed at reading comprehension, here would be the 
*critical* statement I made *before* I supplied the rule, as an example 
of how PCRE could be used to detect what the OP has requested:

"Making assumptions about direction, protocol, and content I would try 
something like this:"

I do appreciate your gems of wisdom concerning the ip based rule.

Paul Schmehl wrote:

Speaking of rocks and glass houses, you really should read before responding to 
someone.

The OP asked "I want to detect the last word in the content
for exemple if I have this bytes: ....1245643577AAAA
how can I verify that it contains "AAAA" at the end without knowing the total 
size of bytes"

Your rule assumes the content is 4 bytes in.  It also assumes that the content 
will come in a GET request using the protocol http, none of which the OP 
specified.

Now, tell us how you could detect the last_four_bytes in *any* packet.  Maybe 
then you'll get an A for more than effort and help the OP with his homework in 
the process.  As it is, you've earned him a failing grade for not reading the 
assignment correctly.

I'll give you a hint.  Since the question doesn't specify protocol *or* 
directionality, you would start with:

alert ip any any -> any any.

The rest is left as an exercise for the reader.  If you can answer the question 
"how can I know how many bytes there are in a packet", you're halfway there.

--On Tuesday, December 01, 2009 08:47:57 -0600 evilghost () packetmail net wrote:

  

...1245643577AAAA
    

how can I verify that it contains "AAAA"
        

Making assumptions about direction, protocol, and content I would try
something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AAAA detected";
flow:established,to_server; content:"GET "; depth:4; content:"AAAA";
pcre:"/\d+AAAA$/"; classtype:suspicious-activity; sid:20091201; rev:1;)

As it stands the signature is costly but you would need to supply additional
criteria for us to narrow it down.  For example, are you looking in the
uribuffer or http_headers?  Content body?  What layer 7 protocol?  Any other
identifying factors that could add to the precision?

Note - SourceFire shouldn't be allowed to interface with the public,
especially if the responses are accusatory in nature.  Some of the quality in
VRT signatures I've seen make me laugh when they respond like they do here.
It's always funny to watch the baboons throwing rocks from their glass houses.


Matt Olney wrote:
    

Yep...but I'm feeling uber generous this morning, so I'll give you a tip:

PCRE$

On Tue, Dec 1, 2009 at 8:33 AM, Nigel Houghton <nhoughton () sourcefire com>
wrote:

      

On Tue, Dec 1, 2009 at 4:11 AM, sofia insat <sofia.insat () yahoo fr> wrote:

        

Hi,

I want to detect the last word in the content
for exemple if I have this bytes: ....1245643577AAAA
how can I verify that it contains "AAAA" at the end without knowing the
total size of bytes



--------------------------------------------------------------------------
---- Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


          

Again, this looks like a homework assignment. This list is not the
place for homework questions.

The answers you seek can be found in the Snort manual and the
associated README files in the Snort tarball. You need to do some work
and read the documentation.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

---------------------------------------------------------------------------
--- Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


        

----------------------------------------------------------------------------
-- Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


      

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
    




  


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: