Re: byte_test

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

To further elaborate —

Please don’t adjust it so that the rule stops alerting.  This rule is measuring a vulnerability condition, and 
condition that Talos (the makers of the official Snort ruleset) know intimately about.    Please file a false positive, 
and we’ll take a look if we need to adjust the rule, or if these are actually legitimate attacks against your 
infrastructure.



> On Mar 25, 2020, at 10:34 AM, Joel Esler (jesler) via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> It’s measuring two bytes that are 76 bytes from the beginning of the packet (notice there is no “relative” in that 
> rule option), and it measures those bytes to see if they are greater than 0x2710, in little endian.  
>
> If you are experiencing any false positives with that rule, please report them!  
> https://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html 
> <https://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html>
>
> -- 
> Joel Esler
> Manager, Communities Division
> Cisco Talos Intelligence Group
> http://www.talosintelligence.com <http://www.talosintelligence.com/> | https://www.snort.org <https://www.snort.org/>
>
> > On Mar 23, 2020, at 8:32 AM, Frank Garvis via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () lists 
> > snort org>> wrote:
> >
> > Hi all!
> >
> > I’m trying to step through Snort rules because I have a general understanding of how the rules work, but there are 
> > some finer points like byte_test where I’m not sure how it fits into how a rule fires.  Let's take sid:47477 for 
> > instance.  The rule fired but there's no content byte match in the packet data.  I'm figuring that the byte_test 
> > only goes if the content match fires, but in this case there isn't, so did the rule default to the byte_match and 
> > match on that?  Also a bit fuzzy on how to read "byte_test:2,>0x2710,76 little;"  So am I looking for 0x2710 after 
> > byte 2 offset?  I want to determine if this is a false positive and to tune the rule, or if it's a true positive and 
> > I need to look into it further.   Any help and/or references are appreciated!
> >
> > Frank
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> > https://lists.snort.org/mailman/listinfo/snort-sigs
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> >
> > Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> > href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!