Re: Question on the relationship between byte_jump and content options

[Alex McDonnell <amcdonnell () sourcefire com>]

yes indeed those are correct

On Wed, Jun 24, 2015 at 9:23 AM, Tyler Smith <tyler.smith () adventiumlabs com>
wrote:

> OK, that makes sense.
>
> Extrapolating from your reply, are the following statements accurate?
>
> * The ‘within’ content modifier is dependent on the position of cursor.
> * The cursor position is (potentially) updated by each option in the rule
> as read from left to right. That is, a ‘content’ match will update the
> cursor position, just as byte_jump will update it.
>
> Thanks,
> Tyler
>
> On Jun 24, 2015, at 8:18 AM, Alex McDonnell <amcdonnell () sourcefire com>
> wrote:
>
> Byte_jump is not a content modifier but a standalone operation that moves
> the cursor (or point of inspection) this way a rule can skip over a record
> whose length we can read in the data. In the above example, we find a
> content match, read 2 bytes and jump that number of bytes from where the
> content was found, then we look for 3 static bytes right after where we
> land.
>
> hope this helps.
>
> Alex McDonnell
> TALOS
>
> On Wed, Jun 24, 2015 at 8:57 AM, Tyler Smith <
> tyler.smith () adventiumlabs com> wrote:
>
> > Is the behavior of the ‘content' option affected by ‘byte_jump' options
> > before or after it in a rule?
> >
> > The content manual page doesn’t list byte_jump as one of the available
> > content modifiers, but some rules (e.g., sid 30777) appear to be written
> > with an assumption that different content will be found following a
> > byte_jump:
> >
> > LEFT  RULE: alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] ->
> > $EXTERNAL_NET any
> >     (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
> > ssl heartbleed attempt”;
> >     flow:to_client,established;
> >     content:"|16 03 00|”;
> >     byte_jump:2,0,relative;
> >     content:"|18 03 00|”;
> >        within:3; fast_pattern;
> >     byte_test:2,>,128,0,relative;
> >     metadata:policy balanced-ips drop, policy security-ips drop, ruleset
> > community, service ssl;
> >     reference:cve,2014-0160;
> >     classtype:attempted-recon;
> >     sid:30777;
> >     rev:3;)
> >
> > Thanks,
> > Tyler
> >
> > P.S. Documentation I’m referring to:
> > http://manual.snort.org/node32.html#SECTION00451300000000000000
> >
> >
> > ------------------------------------------------------------------------------
> > Monitor 25 network devices or servers for free with OpManager!
> > OpManager is web-based network management software that monitors
> > network devices and physical & virtual servers, alerts via email & sms
> > for fault. Monitor 25 devices for free with no restriction. Download now
> > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!