Snort mailing list archives
Re: Classify rules by offset and the usage of byte_jump
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Tue, 30 Jun 2015 07:49:28 -0400
Hi Tommy, 1. Yes, adversaries can guess as to what rules are looking for. 2. No you cannot merge them, byte jump reads the number of bytes you specify out of the packet at the position of the cursor and jumps that far (with modifiers) so if I did byte_jump:4,0,relative,little; when my cursor is at 4 bytes with the value 0x24000000 then it would jump my cursor 0x24 bytes in the packet. thanks Alex McDonnell TALOS On Tue, Jun 30, 2015 at 7:35 AM, Tommy Lin <ljxsgtc () gmail com> wrote:
Hi everyone, I am new to Snort. Here are some questions I come up with during the learning of Snort 1. After looking through some rule sets. I am wondering that whether it is possible to classify rules by the offset of the content it contains. To be more specific, Is it possible for an adversary to guess the goal of a rule by only knowing the value of *offset, depth, within *and* distance *that rule has*.* For example, if a rule contain the option *depth:3*, the adversary can guess that this rule aims at http get request packet. 2. Some rules have two consecutive *byte_jump* option. For example, alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;) Can I merge the two options into one? If not, could you please show me an example. Actually, after reading the user manual and several times of google, I still don’t know what the exactly the byte_jump does. Thanks and regards, Tommy Lin — Sent from Mailbox <https://www.dropbox.com/mailbox> ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Classify rules by offset and the usage of byte_jump Tommy Lin (Jun 30)
- Re: Classify rules by offset and the usage of byte_jump Alex McDonnell (Jun 30)