Snort mailing list archives
Re: Parsing curiosity between standard byte_test and DCE byte_test
From: Todd Wease <twease () sourcefire com>
Date: Tue, 21 May 2013 10:05:06 -0400
Joshua, It looks like the override functions are deprecated. What happens when the "dce" argument is used is byte_order_func is set to DCE2_GetByteOrder() when parsing - ByteTestParse() - so the normal byte test evaluation function is called - ByteTest() - and in that function, byte_order_func is called. So ">=" and "<=" are supported with the "dce" argument to byte_test. Documentation needs to be updated. The same thing occurs with byte_extract, i.e. byte_order_func is set to DCE2_GetByteOrder(). Todd On Mon, May 20, 2013 at 3:20 PM, Joshua Kinard <kumba () gentoo org> wrote:
Snort-devel,
Looking at the parsing code for the normal byte_test keyword and the
DCERPC2
overridden one, there appears to be an undocumented issue with the operator
field.
Here's the switch statement that parses the operator for the standard
byte_test:
/* set the operator */
switch(*cptr)
{
case '<': idx->operator = BT_LESS_THAN;
cptr++;
if (*cptr == '=')
idx->operator = BT_LESS_THAN_EQUAL;
else
cptr--;
break;
case '=': idx->operator = BT_EQUALS;
break;
case '>': idx->operator = BT_GREATER_THAN;
cptr++;
if (*cptr == '=')
idx->operator = BT_GREATER_THAN_EQUAL;
else
cptr--;
break;
case '&': idx->operator = BT_AND;
break;
case '^': idx->operator = BT_XOR;
break;
default: FatalError("%s(%d): byte_test unknown "
"operator ('%c, %s')\n", file_name, file_line,
*cptr, toks[1]);
}
As can be seen, when it hits either the '<' or '>' operators, it advances
the pointer by one to check if the next character is an '=' and sets
BT_LESS_THAN_EQUAL or BT_GREATER_THAN_EQUAL as appropriate.
Here's the parsing code for the DCERPC2-overridden byte_test:
/* If two bytes first must be '!' */
if (strlen(token) == 2)
{
if (*token != DCE2_RARG__NE)
{
DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData),
DCE2_MEM_TYPE__ROPTION);
DCE2_RoptError("\"%s\" rule option: Invalid argument:
%s",
DCE2_ROPT__BYTE_TEST, token);
}
else
{
bt_data->invert = 1;
}
token++;
}
switch (*token)
{
case DCE2_RARG__LT:
bt_data->operator = DCE2_BT_OP__LT;
break;
case DCE2_RARG__EQ:
bt_data->operator = DCE2_BT_OP__EQ;
break;
case DCE2_RARG__GT:
bt_data->operator = DCE2_BT_OP__GT;
break;
case DCE2_RARG__AND:
bt_data->operator = DCE2_BT_OP__AND;
break;
case DCE2_RARG__XOR:
bt_data->operator = DCE2_BT_OP__XOR;
break;
default:
DCE2_Free((void *)bt_data, sizeof(DCE2_ByteTestData),
DCE2_MEM_TYPE__ROPTION);
DCE2_RoptError("\"%s\" rule option: Invalid argument:
%s",
DCE2_ROPT__BYTE_TEST, token);
break;
}
We can see at the top that it first checks the string length of the token,
and states that if it is two characters, the first char must be '!' for
negation. It then goes on to check the actual operators, but it only
accounts for '<', '=', '>', '&', and '^'. It does NOT account for '<=' or
'>=' like the standard byte_test does.
However if you write out a rule with a keyword like this:
byte_test:2,!<=,42,0,dce;, it will not throw out a parsing error.
The documentation doesn't actually mention that the standard byte_test
accepts '<=' and '>=' as operators, so no one has probably ever stumbled
onto this corner case.
What's the dev team's take? Should both byte_test forms support '<=' and
'>=' or should neither? Either approach is an easy fix.
Also, minor note, but the manual states that byte_extract takes a 'dce'
operand, when the parsing code doesn't even check for it. Traces exist for
it to be added eventually (I assume), but the DCERPC2 preprocessor has no
code in place to override byte_extract.
Cheers!,
--
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28
"The past tempts us, the present confuses us, the future frightens us. And
our lives slip away, moment by moment, lost in that vast, terrible
in-between."
--Emperor Turhan, Centauri Republic
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Parsing curiosity between standard byte_test and DCE byte_test Joshua Kinard (May 20)
- Re: Parsing curiosity between standard byte_test and DCE byte_test Russ Combs (May 21)
- Re: Parsing curiosity between standard byte_test and DCE byte_test Todd Wease (May 21)