Re: byte_test and relative

[Todd Wease <twease () sourcefire com>]

On Fri, Oct 12, 2012 at 3:10 PM, Brandon Castel <bcastel () wurldtech com>wrote:

>  Hi all,
>
> We've noticed that using byte_test doesn't seem to advance the relative
> pointer in the way we'd expect and were wondering if this was by design
> behavior or a bug (the docs don't discuss the relative concept in any depth
> as far as I can tell)
>
> Here's a contrived example of what we're noticing
>
> Against this (hex) data - 05 64 16 21 AB CD 11 22 CC CC AA A1 0D
> We write a rule with the following body (ignore for conversation's sake
> that we can write the 2nd and 3rd as contents and avoid this whole mess)
> Content:"|05 64|";
> byte_test:1,>,7,0, relative;
> byte_test:2,=,0xABCD,2,relative;
> byte_test:1,=,0x0D,10, relative;
>
> This rule will fire, but notice that the offsets of the three byte_tests
> are are relative to 0x0564 and not each other. In the simple example that's
> not a big deal, its all fixed offsets so we can just adjust our numbers a
> bit and it all works out. The problem is when we'd like to do more
> complicated things, for example we have a signature we want to write which
> reads two variables from a packet at fixed offsets from the header, does a
> simple calculation on them (2a + b + 6) to find the offset of some bytes
> further down the packet.
>
> We had *hoped* to solve this by combining byte_extract and byte_test kind
> of like this:
> byte_extract:1,0,variableA,multiplier 2;
> byte_extract:1,4,variableB;
> byte_test:1, ^, 0xff, 6;
> byte_test:1, ^, 0xff, variableA;
> byte_test:4, >, 0xAABBCCDD, variableB; #our actual test goes here at
> relative offset variableB
>
> The idea being we're taking advantage of the fact that doing a logical OR
> with 0xff is always true so we force the relative pointer to where we want
> it in stages. We want 2A + B + 6, so we move it 6, then 2A then B
>
> Any thoughts (or alternative solutions) guys?

byte_test doesn't increment the relative pointer.  I think the following
may work:

byte_extract:1,5,variableB;
byte_jump:1,-6,relative,multiplier 2,post_offset 11;
byte_test:4,>,0xAABBCCDD,variableB;

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!