Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question regarding distance 0 modifier

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 18 Jul 2014 13:53:48 +0000
On Jul 17, 2014, at 7:56 PM, James Dickenson <jdickenson () gmail com<mailto:jdickenson () gmail com>> wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound 
connection"; flow:to_server,established; content:"/search"; http_uri; content:"?h1="; distance:0; http_uri; 
content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"&h4="; distance:0; http_uri; 
content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header; 
pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/<http://www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/>;
 classtype:trojan-activity; sid:21240; rev:7;)

Let me display our rule like this, might make it easier:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( \
        msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound connection"; \
        flow:to_server,established; \
        content:"/search"; http_uri; \
        content:"?h1="; distance:0; http_uri; \    # This means that the h1 match must take place after the “/search 
match in the previous line.  No restrictions on where, just after.
        content:"&h2="; distance:0; http_uri; \    # This means that the h2 match must take place after the “h1” match 
in the previous line.  No restrictions on where, just after.
        content:"&h3="; distance:0; http_uri; \    # This means that the h3 match must take place after the “h2” match 
in the previous line.  No restrictions on where, just after.
        content:"&h4="; distance:0; http_uri; \    # This means that the h4 match must take place after the “h3” match 
in the previous line.  No restrictions on where, just after.
        content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header; \
        pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; \

#the two above matches are in the “http_header” buffer (completely different buffer, so no distance matches there)

        metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; \
reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/<http://www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/>;
 \
        classtype:trojan-activity; \
)


You’ll notice all the “h{1-4}” matches are in the http_uri buffer.  So you can perform relative checks on the matches 
in the same buffer.

Does that help?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: