Re: Are there examples for SO rules including ByteExtract?

[Patrick Mullen <pmullen () sourcefire com>]

Martin,

byte_extract isn't supported in the generator at this time because you're
already in C so reading values from the payload is trivial.  Inside of
so-util.h, there are functions and macros that make it even easier
(read_big_32, read_little_16, etc).  isdataat is implemented through
pointer math -- if(cursor_normal + size_you_are_checking > end_of_payload)
{ return RULE_NOMATCH; /* not enough data available */ } .  end_of_payload
would be set by a call to getBuffer() earlier in the code.  cursor_normal
is wherever you are currently located in the payload.  Look for usages of
these functions in the so_rules directory (downloaded with the rules
tarball from snort.org) for examples; there are many.  Our coding
guidelines should make all of the terms I used in my examples show up many
times.

There may also be ways to do this within a text rule.  There are features
like post_offset and such to handle sizes that include additional header
information or whatnot, and there's no reason you couldn't byte_extract an
offset to find the size field you are looking for at another offset.  Or,
perhaps another strategy could be used to avoid these complications.  I
always preach the concept of "good enough" detection.  This isn't to say
"half-assed" detection; I generally don't let our people get away with weak
stuff, but in many instances detection that may not be 100% perfect is more
than adequate for detecting bad people doing bad things on the Internet
while being suitably resistant to false positives.  And sometimes, because
the rule is more loose, we end up catching other shenanigans we weren't
even aware of when we wrote the rule!


Thanks,

~Patrick


On Wed, Jul 15, 2015 at 7:58 AM, Martin Aman <martin.aman () th-deg de> wrote:

> Hello,
>
> I am trying to write a rule that reads the length of a header part of
> an application protocol and use that number to verify the correct
> length of the entire packet. But there is an additional offset (read
> number does not equal length) that makes it quite hard to solve.
>
> A possible way would be to write a non-SO rule with byte_extract and
> isdataat with the corresponding offset. The only problem is that I
> would need to add an offset to the offset which doesn't seem to work
> as of yet.
>
> In my research I have found this VRT Shared Object Rule Generator
> (https://labs.snort.org/cgi-bin/sorules.cgi) which is supposed to help
> me with writing SO rules but I can't get it to parse the following
> rule which works fine with Snort 2.9.7.2:
>
> alert udp any any -> any any (msg: "trying to check for length";
> content: "|FF FF FF FF|"; offset: 0; depth: 4;
> byte_extract:4,0,len_value; isdataat:len_value;
> classtype:attempted-recon; sid: 12345678; rev:1;)
>
> Since I haven't seen any other blog entries than
> http://vrt-blog.snort.org/2010/02/introduction-to-shared-object-rules.ht
> ml and I have neither found a Snort Plugin API documentation nor other
> information on the Snort mailing list or on the Internet in general...
>
> ... I'd like to ask if somebody is willing to share a few basic
> examples for writing SO rules in general and how to use ByteExtract
> with ByteTest and isdataat/Cursor specifically. Also recommendations
> for resources and books are welcomed.
>
> Thanking you in advance.
>
> Yours faithfully,
> Martin Aman
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!