Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE : Help with signature - offset

From: rmkml <rmkml () yahoo fr>
Date: Tue, 23 Jul 2013 21:37:11 +0200 (CEST)
Hi Miha,

ok I have converted your txt output to pcap (with wireshark text2pcap),

{joigned pcap file and small syntax txt file}

After starting snort on verbose mode,

Snort (v2950) indicate it's not a tcp layer... : (wireshark it's tcp ok)
...
===============================================================================
Packet I/O Totals:
   Received:            1
   Analyzed:            1 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:            1 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:            1 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:            0 (  0.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            1 (100.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            1 (100.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:            1
===============================================================================
...
Can you share your pcap file please ? (or check if snort on verbose mode not detect a tcp layer) 

Regards
@Rmkml


On Tue, 23 Jul 2013, miha rass wrote:


Thanks for the input.  I figured it out.  
I was looking to trigger off the first few bytes of the TCP payload, so by putting offset:0 it work.  I am not sure why 
it works b/c the content data is sitting at offset:54 according to wireshark.

I am guessing that content ONLY works within the TCP payload, not in the eth/ip/tcp header.

Does anyone know if wireshark adds or removes any data while parsing?


On Tue, Jul 23, 2013 at 1:54 AM, rmkml <rmkml () yahoo fr> wrote:
      Hi Miha,
Don't tested but can you try with offset:4; please ?

Because here it's a payload offset.

Regards
@Rmkml




-------- Message d'origine --------
De : miha rass <miha4246 () gmail com>
Date :
A : snort user list <snort-users () lists sourceforge net>
Objet : [Snort-users] Help with signature - offset


Hello,
I am trying to id why my test snort sig wont fire from the offset.  I have a generic sig that I have tested from flow, 
depth, content etc.  It all works but the offset.

I am testing the sig against some old gh0st rat traffic.  below is the sig.  I thought the tcp payload would start at 
offset 54.  The content in the hex is in bold.

 Alert tcp any any -> any 21 (msg:"testing for gh0st"; content:"v2010"; offset:58; nocase; sid:100000939;)


0000  00 50 56 e3 19 d5 00 50  56 3c f6 41 08 00 45 00   .PV....P V<.A..E.
0010  01 31 02 74 40 00 80 06  bc ce c0 a8 6a 8d 79 3f   .1.t@... ....j.y?
0020  96 0f 04 34 00 15 04 4a  7e 7d 59 4f 74 3a 50 18   ...4...J ~}YOt:P.
0030  fa f0 5d c1 00 00 76 32  30 31 30 09 01 00 00 fc   ..]...v2 010.....
0040  00 00 00 66 00 00 00 9c  00 00 00 05 00 00 00 01   ...f.... ........
0050  00 00 00 28 0a 00 00 02  00 00 00 53 65 72 76 69   ...(.... ...Servi
0060  63 65 20 50 61 63 6b 20  32 00 00 3f 9b 91 7c d8   ce Pack  2..?..|.
0070  c0 97 7c eb 9a 91 7c 30  f4 40 00 90 fe ab 00 ff   ..|...|0 .@......
0080  ff 00 00 00 c0 fd 7f a8  34 24 00 ff ff ff ff 12   ........ 4$......

Thanks

Attachment: miha_dump.pcap
Description: 

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: