Re: Question on the relationship between byte_jump and content options

[Tyler Smith <tyler.smith () adventiumlabs com>]

OK, that makes sense.

Extrapolating from your reply, are the following statements accurate?

* The ‘within’ content modifier is dependent on the position of cursor.
* The cursor position is (potentially) updated by each option in the rule as read from left to right. That is, a 
‘content’ match will update the cursor position, just as byte_jump will update it.

Thanks,
Tyler

> On Jun 24, 2015, at 8:18 AM, Alex McDonnell <amcdonnell () sourcefire com> wrote:
>
> Byte_jump is not a content modifier but a standalone operation that moves the cursor (or point of inspection) this 
> way a rule can skip over a record whose length we can read in the data. In the above example, we find a content 
> match, read 2 bytes and jump that number of bytes from where the content was found, then we look for 3 static bytes 
> right after where we land.
>
> hope this helps.
>
> Alex McDonnell
> TALOS
>
> On Wed, Jun 24, 2015 at 8:57 AM, Tyler Smith <tyler.smith () adventiumlabs com <mailto:tyler.smith () adventiumlabs 
> com>> wrote:
> Is the behavior of the ‘content' option affected by ‘byte_jump' options before or after it in a rule?
>
> The content manual page doesn’t list byte_jump as one of the available content modifiers, but some rules (e.g., sid 
> 30777) appear to be written with an assumption that different content will be found following a byte_jump:
>
> LEFT  RULE: alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
>     (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt”;
>     flow:to_client,established;
>     content:"|16 03 00|”;
>     byte_jump:2,0,relative;
>     content:"|18 03 00|”;
>        within:3; fast_pattern;
>     byte_test:2,>,128,0,relative;
>     metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
>     reference:cve,2014-0160;
>     classtype:attempted-recon;
>     sid:30777;
>     rev:3;)
>
> Thanks,
> Tyler
>
> P.S. Documentation I’m referring to: http://manual.snort.org/node32.html#SECTION00451300000000000000 
> <http://manual.snort.org/node32.html#SECTION00451300000000000000>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o <http://ad.doubleclick.net/ddm/clk/292181274;119417398;o>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
> http://www.snort.org <http://www.snort.org/>
>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!