Home page logo

snort logo Snort mailing list archives

Question regarding distances after a byte_jump...
From: evejou <girl () techn0ev3 net>
Date: Thu, 16 Dec 2010 17:54:19 -0500


I was trying to write a signature for Snort v2.6.1.5. I have a question
about using the distance/within tags after a byte_test, if that's even
proper use for it.

Say there's a packet that looks kind of like this:

MM MM OO OO OO [....] TT XX XX AA AA ...

(MM -- magic number)
(OO -- offset value that points to the TTs; this offset counts from the
beginning of the file)
(XX XX -- 2 bytes that I don't care about)

I was trying to figure out where the pointer would be after a byte_jump, so
I tried to write the following to see if it would trigger:
      *content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,post_offset
2; content:"|AA AA|"; distance:0; within:2;*
I noticed that this didn't trigger, but that it did when I removed the
"within:2" part.

And then I tried the following:
      *content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,post_offset
2; content:"|OO OO OO|"; distance:0; within:3;*
and this triggered as well.

My first question is whether this is expected behavior (or am I doing
something wrong?), and adjunctly to that, how I could get a hit on that
second content tag (the |AA AA| part)...


girl () techn0ev3 net

Finché c'è vita, c'è speranza.
As long as there is life, there is hope.
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]