Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Are there examples for SO rules including ByteExtract?

From: Martin Aman <martin.aman () th-deg de>
Date: Wed, 15 Jul 2015 13:58:26 +0200
Hello,

I am trying to write a rule that reads the length of a header part of
an application protocol and use that number to verify the correct
length of the entire packet. But there is an additional offset (read
number does not equal length) that makes it quite hard to solve.

A possible way would be to write a non-SO rule with byte_extract and
isdataat with the corresponding offset. The only problem is that I
would need to add an offset to the offset which doesn't seem to work
as of yet.

In my research I have found this VRT Shared Object Rule Generator
(https://labs.snort.org/cgi-bin/sorules.cgi) which is supposed to help
me with writing SO rules but I can't get it to parse the following
rule which works fine with Snort 2.9.7.2:

alert udp any any -> any any (msg: "trying to check for length";
content: "|FF FF FF FF|"; offset: 0; depth: 4;
byte_extract:4,0,len_value; isdataat:len_value;
classtype:attempted-recon; sid: 12345678; rev:1;)

Since I haven't seen any other blog entries than
http://vrt-blog.snort.org/2010/02/introduction-to-shared-object-rules.ht
ml and I have neither found a Snort Plugin API documentation nor other
information on the Snort mailing list or on the Internet in general...

... I'd like to ask if somebody is willing to share a few basic
examples for writing SO rules in general and how to use ByteExtract
with ByteTest and isdataat/Cursor specifically. Also recommendations
for resources and books are welcomed.

Thanking you in advance.

Yours faithfully,
Martin Aman

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: