Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help with signature - offset

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 22 Jul 2013 22:24:33 -0400
On 7/22/2013 19:22, miha rass wrote:

Hello,

I am trying to id why my test snort sig wont fire from the offset.  I have a
generic sig that I have tested from flow, depth, content etc.  It all works but
the offset.

I am testing the sig against some old gh0st rat traffic.  below is the sig.  I
thought the tcp payload would start at offset 54.  The content in the hex is in
bold.


the key to the offset is the last content match IIRC... i'm not sure, at the 
moment, where the "last content match" pointer is set in a rule like yours... 
what version of snort are you running? there have been a lot of changes over 
time in this and similar areas...


  Alert tcp any any -> any 21 (msg:"testing for gh0st"; content:"v2010";
offset:58; nocase; sid:100000939;)


0000  00 50 56 e3 19 d5 00 50  56 3c f6 41 08 00 45 00   .PV....P V<.A..E.
0010  01 31 02 74 40 00 80 06  bc ce c0 a8 6a 8d 79 3f   .1.t@... ....j.y?
0020  96 0f 04 34 00 15 04 4a  7e 7d 59 4f 74 3a 50 18   ...4...J ~}YOt:P.
0030  fa f0 5d c1 00 00 76 32  30 31 30 09 01 00 00 fc   ..]...*v2 010*.....
0040  00 00 00 66 00 00 00 9c  00 00 00 05 00 00 00 01   ...f.... ........
0050  00 00 00 28 0a 00 00 02  00 00 00 53 65 72 76 69   ...(.... ...Servi
0060  63 65 20 50 61 63 6b 20  32 00 00 3f 9b 91 7c d8   ce Pack  2..?..|.
0070  c0 97 7c eb 9a 91 7c 30  f4 40 00 90 fe ab 00 ff   ..|...|0 .@......
0080  ff 00 00 00 c0 fd 7f a8  34 24 00 ff ff ff ff 12   ........ 4$......




-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: