Re: Classify rules by offset and the usage of byte_jump

[Alex McDonnell <amcdonnell () sourcefire com>]

Hi Tommy,

1. Yes, adversaries can guess as to what rules are looking for.

2. No you cannot merge them, byte jump reads the number of bytes you
specify out of the packet at the position of the cursor and jumps that far
(with modifiers) so if I did byte_jump:4,0,relative,little; when my cursor
is at 4 bytes with the value 0x24000000 then it would jump my cursor 0x24
bytes in the packet.

thanks
Alex McDonnell
TALOS

On Tue, Jun 30, 2015 at 7:35 AM, Tommy Lin <ljxsgtc () gmail com> wrote:

>  Hi everyone, I am new to Snort. Here are some questions I come up with
> during the learning of Snort
>
> 1.
> After looking through some rule sets. I am wondering that whether it is
> possible to classify rules by the offset of the content it contains. To be
> more specific, Is it possible for an adversary to guess the goal of a rule
> by only knowing the value of *offset, depth, within *and* distance *that
> rule has*.*
>
> For example, if a rule contain the option *depth:3*, the adversary can
> guess that this rule aims at http get request packet.
>
> 2.
> Some rules have two consecutive *byte_jump* option.
>  For example,
>  alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
> bootparam request TCP"; flow:to_server,established; content:"|00 01 86
> A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
> byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01
> 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
> metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;
> sid:1264; rev:21;)
>
> Can I merge the two options into one? If not, could you please show me an
> example. Actually, after reading the user manual and several times of
> google, I still don’t know what the exactly the byte_jump does.
>
> Thanks and regards,
> Tommy Lin
>
>
>
> —
> Sent from Mailbox <https://www.dropbox.com/mailbox>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!