FW: No need for content modifier 'within'

["Crook, Parker" <Parker_Crook () reyrey com>]

I wanted to post up the dialogue that L0rd Ch0de1m0rt and I had outside of the mailing list yesterday afternoon, in 
case anyone else was following the topic previously.

-Parker

-----Original Message-----
From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com]
Sent: Thursday, June 10, 2010 6:43 PM
To: Crook, Parker
Subject: Re: [Snort-sigs] No need for content modifier 'within'

Parker,

Well put, I agree.  I was surprised that depth worked the way it did
with distance (I figured depth would start from the beginning of the
payload like you said) so that is why I started this thread.  Makes
sense like you said if distance is evaluated first and moves the
pointer in the payload buffer relative to the last content match and
then depth uses that same pointer.

Thanks again for the responses.

-L0rd Ch0de1m0rt

On Thu, Jun 10, 2010 at 4:03 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:
> L0rd Ch0de1m0rt,
>
> You are correct, under the current implementation of the logic managing these options, distance+depth is functionally 
> equivalent to within.  I believe this is because when the distance option is set, it temporarily moves the offset 
> flag up for the current content evaluation, hence why depth works in these scenarios (after the current content 
> match, the temporary move of the offset flag reverts back to its original position, this is probably done as a sanity 
> check for using these options together).  Technically though, this should not happen, and there should be in most 
> cases a 'field of evaluation' mismatch where the field to be evaluated doesn't even coexist for both parameters, ie:
>
> alert tcp any any -> any any (msg:"WITHIN TEST!"; \ flow:established,to_server; content:"hello"; \
> nocase; content:"world"; distance:4; depth:5; \
> classtype:trojan-activity; sid:20104569; rev:1;)
>
> --depth 5 field should evaluate the 5 bytes at the beginning of the payload, as no offset is set.
> --Distance 4 field exists 4 bytes after the last match.
>
> These spaces are not congruent, and as such these options used in conjunction should not be valid.
>
> If SF wants to change it so that depth only works with offset, that's fine by me...
>
> Enjoy your evening.
> -Parker
>
> -----Original Message-----
> From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com]
> Sent: Thursday, June 10, 2010 4:42 PM
> To: Crook, Parker
> Subject: Re: [Snort-sigs] No need for content modifier 'within'
>
> Parker,
>
> Thanks for the response. I guess what I'm saying is that within:5 is
> the same functionally as distance:0; depth:5;.  I encourage you to
> test this if you don't believe me. However, according to Sourcefire,
> this behaviour may change so they still recommends using offset+depth
> and distance+within.
>
> -L0rd Ch0de1m0rt
>
> On Thu, Jun 10, 2010 at 3:17 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:
> > I know it's poor form, but I'm replying to my own post... I retract my
> > statement about double-dipping.  As distance just sets where to start
> > looking.  If you use distance+depth you specify an exact range, or location
> > if you are specific enough, in which the content is searched for.  So
> > distance+depth enables you to specify exactly where to look, whereas within
> > allows you to specify a more open range of bytes to search for your content.
> >
> > ...that and using depth alone, allows you to specify a search range based off
> > of the beginning of the payload or the offset flag.
> >
> >
> >
> > Sorry about that.
> >
> > -Parker
> >
> >
> >
> > ________________________________
> >
> > From: Crook, Parker [mailto:Parker_Crook () reyrey com]
> > Sent: Thursday, June 10, 2010 4:02 PM
> > To: 'Matt Olney'; L0rd Ch0de1m0rt
> > Cc: snort-sigs () lists sourceforge net
> > Subject: Re: [Snort-sigs] No need for content modifier 'within'
> >
> >
> >
> > Hello good sirs,
> >
> >
> >
> > I wanted to chime in here and say that 'depth' is 'relative', but only to
> > the 'offset' flag, and if no 'offset' flag is set, the beginning of the
> > payload is used as the starting point.  With that in mind, 'within' is a
> > useful content matching option as every time you want to constrain a match
> > to a certain field after your previous match, you don't have to move your
> > offset (The workaround to this would be an ugly hack of using
> > distance+depth).
> >
> >
> >
> > Now I think this is much clearer when you run a test on a rule that is not a
> > simple composite, but rather a complex, ie, more than 3 content matches:
> >
> >
> >
> > alert tcp any any -> any any (msg:"DEPTH TEST-passed!";
> > flow:established,to_server; content:"hello"; nocase; content:"3";
> > distance:2; depth:3; content:"world"; nocase; distance:1; depth:5;
> > classtype:trojan-activity; sid:20104568; rev:1;)
> >
> >
> >
> > vs
> >
> >
> >
> > alert tcp any any -> any any (msg:"WITHIN TEST-passed!";
> > flow:established,to_server; content:"hello"; nocase; content:"3"; within:3;
> > content:"world"; within:6; classtype:trojan-activity; sid:20104569; rev:1;)
> >
> >
> >
> > or a composite of the two types:
> >
> >
> >
> > alert tcp any any -> any any (msg:"COMBO TEST-passed!";
> > flow:established,to_server; content:"hello"; nocase; content:"3"; within:3;
> > content:"world"; distance:1; depth:5; classtype:trojan-activity;
> > sid:20104570; rev:1;)
> >
> >
> >
> > I have verified that all three of the aforementioned rules trigger.  It
> > would seem to me that 'within' is a much more elegant solution if you are
> > trying to ensure that a value is scattered somewhere with a range of
> > possibilities, but if you want to be surgical with your rules 'distance' +
> > 'depth' would be better suited, but really at this point you're
> > double-dipping with options:  distance is going to set your match at the
> > beginning and depth is going to set your end of the field, so you might just
> > be better off using distance at that point, ie:
> >
> >
> >
> > alert tcp any any -> any any (msg:"CONTENT TEST-passed!";
> > flow:established,to_server; content:"hello"; nocase; content:"3";
> > distance:2; content:"world"; nocase; distance:1; classtype:trojan-activity;
> > sid:20104571; rev:1;)
> >
> >
> >
> > I think both depth and within deserve their place in rules, as sometimes
> > room for padding needs to be made whereas other times exact placement of
> > payload is necessary.
> >
> >
> >
> > I hope I haven't confused anyone.  I tried to be as clear as I could, and if
> > any of it needs clarification, I'll be happy to provide it.
> >
> > -Parker
> >
> >
> >
> > ________________________________
> >
> > From: Matt Olney [mailto:molney () sourcefire com]
> > Sent: Thursday, June 10, 2010 12:00 PM
> > To: L0rd Ch0de1m0rt
> > Cc: snort-sigs () lists sourceforge net
> > Subject: Re: [Snort-sigs] No need for content modifier 'within'
> >
> >
> >
> > Your Chodeship,
> >
> > I'm at home taking a couple of days off, and haven't tested it, but here is
> > my understanding:
> >
> >
> >
> >
> >
> > For the string:
> >
> >
> >
> > "I wrote hello world"
> >
> >
> >
> > content:"hello"; content:"wrote"; distance: 0; depth:5;
> >
> >
> >
> > would fire because "depth" and "offset" force a flag of non-relative to the
> > match.  I may be getting this backwards, and it may be that "distance" sets
> > a relative flag instead, but one way or another those two terms are bound
> > together.  I'll do some testing
> >
> >
> >
> > I'll try and set some time aside Monday to test this, if no one else gets to
> > it, but in the meantime, please follow the recommendations.
> >
> >
> >
> > Matt
> >
> > On Thu, Jun 10, 2010 at 11:32 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
> > wrote:
> >
> > I understand what you are saying but I'm not sure it is congruent with
> > current reality.  Try this -- run these two rules:
> >
> > alert tcp any any -> any any (msg:"DEPTH TEST!";
> > flow:established,to_server; content:"hello"; nocase; content:"world";
> > distance:4; depth:5; classtype:trojan-activity; sid:20104568; rev:1;)
> >
> > alert tcp any any -> any any (msg:"WITHIN TEST!";
> > flow:established,to_server; content:"hello"; nocase; content:"world";
> > distance:4; within:5; classtype:trojan-activity; sid:20104569; rev:1;)
> >
> > And then browse to http://www.google.com/hello1234world
> >
> > Do they both alert?  If so, that would seem to indicate that depth is
> > relative, no?
> >
> > I'd also encourage you to test http://www.google.com/hello123world and
> > http://www.google.com/hello12345world and verify that those don't
> > cause alerts.
> >
> > Cheers,
> >
> > -L0rd Ch0de1m0rt
> >
> > On 6/10/10, Joel Esler <jesler () sourcefire com> wrote:
> > > I apologize I mean depth instead of distance.  My fingers typed the wrong
> > > word.
> > >
> > > You can do a distance:0, but within allows you to tell the search where to
> > > stop.  Distance is relative to the last match, within is relative to this
> > > match.
> > >
> > > Depth tells Snort how far to read into a packet to search for a pattern
> > > Offset tells Snort how far to read into a packet to START searching for a
> > > pattern
> > > Distance tells Snort how far into a packet Snort should skip relative to
> > > the
> > > end of the previous content match
> > > Within makes sure that there is "x" amount of bytes between pattern
> > > matches.
> > >
> > > You can't use a depth with a distance, as depth references the offset, not
> > > the relative distance from last match (that's what distance is for)
> > >
> > > There are reasons for all four, we've had this debate for years.
> > >
> > > Plus with distance, you can do negative relativity, you can't do that with
> > > offset.  Just FYI.
> > >
> > >
> > > 11:04 AM, on Jun 10, 2010, wrote:
> > >
> > > > What?  Are you confusing distance and offset?  According to your blog
> > > > post according to the Snort manual, "The distance keyword allows the
> > > > rule writer to specify how far into a packet Snort should ignore
> > > > before starting to search for the specified pattern relative to the
> > > > end of the previous pattern match."
> > > >
> > > > Distance is relative and I'm saying we don't really need the 'within'
> > > > keyword since we can just do distance:0; and then use depth since
> > > > depth is relative as well.
> > > >
> > > > Hope this helps.
> > > >
> > > > -L0rd Ch0de1m0rt
> > > >
> > > > On 6/10/10, Joel Esler <jesler () sourcefire com> wrote:
> > > > > Distance tells Snort how far to read into a packet to search for a
> > > > > pattern
> > > > > Within makes sure that at most "x" amount of bytes are between pattern
> > > > > matches.
> > > > >
> > > > > Within is relative, distance is not.
> > > > >
> > > > >
> > > > > 10:39 AM, on Jun 10, 2010, wrote:
> > > > >
> > > > > > Hello.  Not trying to beat a dead horse here but I was reading
> > > > > > http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
> > > > > > and came to a part where it said, "Offset goes with Depth, distance
> > > > > > goes with within.  Don't mix them."  I'm not sure I agree with this
> > > > > > and I'm not much of an Blogger/Internet Exhibitionist so I'm posting
> > > > > > this here.
> > > > > >
> > > > > > We all know, offset tells Snort how far into the payload (starting
> > > > > > from the beginning of the payload) to start looking for a content
> > > > > > match.  Distance tells Snort how far into the payload (starting from
> > > > > > the previous content match) to start looking for a content match.
> > > > > > Depth *and* within tell Snort where to stop looking based on where it
> > > > > > started looking.  So you can have distance and use depth if you want
> > > > > > and it is perfectly OK to do this.  Do not be afraid.  The only reason
> > > > > > within exists is so if you have a situation where you don't use
> > > > > > distance but want to make sure no more than N bytes are between
> > > > > > content matches.  But within isn't really necessary. In fact, we could
> > > > > > get rid of within in the case described and just add distance:0; and
> > > > > > use depth.
> > > > > >
> > > > > > Hope this helps clarify a few things about the within content modifier.
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > -L0rd Ch0de1m0rt
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------------------------------
> > > > > > ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > > > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > > > > > lucky parental unit.  See the prize list and enter to win:
> > > > > > http://p.sf.net/sfu/thinkgeek-promo
> > > > > > _______________________________________________
> > > > > > Snort-sigs mailing list
> > > > > > Snort-sigs () lists sourceforge net
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > > > >
> > > > > --
> > > > > Joel Esler
> > >
> > > --
> > > Joel Esler
> >
> > ------------------------------------------------------------------------------
> > ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > lucky parental unit.  See the prize list and enter to win:
> > http://p.sf.net/sfu/thinkgeek-promo
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs