Length encoded protocol / LDAP and BER

[FOULDE Damien <damien.foulde () axians com>]

Hello,

 

I’m faced to an issue to dissect a length encoded protocol, LDAP in my case
which uses BER.

I’m blocked because the value extracted through “byte_extract” can only be
supplied to the “offset” argument of the “byte_jump” rule keyword and not to
the “bytes_to_convert” argument.

 

Let me take an example, I have the bytes below and I need to check the 0x80
byte :

82 00 05 12 24 56 78 12 80

0x82 = 10000010

The MSB is set to 1, so the value of the 7 other bits is not the length of
the data but the number of bytes used to describe the length of the data, in
this example, the number of bytes to describe the length of the data is
0000010 = 2

We can get this value through “byte_extract:1,0,var_length,relative,bitmask
0x7f;”.

Then we would need to get the “00 05” = 5 value, to jump over the 5
following bytes : “12 24 56 78 12” and finally be able to test the 0x80
content we need to check.

This could be achieved through “byte_jump:var_length,0,relative;” if the
“byte_jump” rule keyword would accept an extracted value for the
“bytes_to_convert” argument, unfortunately this is not the case.

Did I missed a snort feature which could achieve this ?

Do you know if there is already a feature request for something like this ?

 

Thank you & regards,

 

Damien

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!