Snort mailing list archives
Re: Length encoded protocol / LDAP and BER
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 12 Feb 2017 02:58:21 +0000
Probably a better topic for the snort-sigs list. Sent from my iPad On Feb 11, 2017, at 12:30 PM, FOULDE Damien <damien.foulde () axians com<mailto:damien.foulde () axians com>> wrote: Hello, Noone interested by this topic ? That's a pity, this is a quite interesting technical challenge ! Damien De : FOULDE Damien [mailto:damien.foulde () axians com] Envoy? : mercredi 25 janvier 2017 19:38 ? : snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> Objet : [Snort-devel] Length encoded protocol / LDAP and BER Hello, I'm faced to an issue to dissect a length encoded protocol, LDAP in my case which uses BER. I'm blocked because the value extracted through "byte_extract" can only be supplied to the "offset" argument of the "byte_jump" rule keyword and not to the "bytes_to_convert" argument. Let me take an example, I have the bytes below and I need to check the 0x80 byte : 82 00 05 12 24 56 78 12 80 0x82 = 10000010 The MSB is set to 1, so the value of the 7 other bits is not the length of the data but the number of bytes used to describe the length of the data, in this example, the number of bytes to describe the length of the data is 0000010 = 2 We can get this value through "byte_extract:1,0,var_length,relative,bitmask 0x7f;". Then we would need to get the "00 05" = 5 value, to jump over the 5 following bytes : "12 24 56 78 12" and finally be able to test the 0x80 content we need to check. This could be achieved through "byte_jump:var_length,0,relative;" if the "byte_jump" rule keyword would accept an extracted value for the "bytes_to_convert" argument, unfortunately this is not the case. Did I missed a snort feature which could achieve this ? Do you know if there is already a feature request for something like this ? Thank you & regards, Damien ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Length encoded protocol / LDAP and BER FOULDE Damien (Jan 25)
- Re: Length encoded protocol / LDAP and BER FOULDE Damien (Feb 11)
- Re: Length encoded protocol / LDAP and BER Joel Esler (jesler) (Feb 11)
- Re: Length encoded protocol / LDAP and BER Russ (Feb 13)
- Re: Length encoded protocol / LDAP and BER FOULDE Damien (Feb 13)
- Re: Length encoded protocol / LDAP and BER FOULDE Damien (Feb 11)