Classify rules by offset and the usage of byte_jump

["Tommy Lin" <ljxsgtc () gmail com>]

Hi everyone, I am new to Snort. Here are some questions I come up with during the learning of Snort


1.
After looking through some rule sets. I am wondering that whether it is possible to classify rules by the offset of the 
content it contains. To be more specific, Is it possible for an adversary to guess the goal of a rule by only knowing 
the value of offset, depth, within and distance that rule has.


For example, if a rule contain the option depth:3, the adversary can guess that this rule aims at http get request 
packet.


2.
Some rules have two consecutive byte_jump option.
For example,
 alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; 
flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; 
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; 
depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;)



Can I merge the two options into one? If not, could you please show me an example. Actually, after reading the user 
manual and several times of google, I still don’t know what the exactly the byte_jump does.


Thanks and regards,
Tommy Lin





—
Sent from Mailbox

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!