Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Issue with byte_test and bitmask

From: Damian Torres via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 27 Sep 2017 18:04:36 -0400
Greetings.


I've been working on some rules that involve byte_test and although I've
been able to flesh some of them out, I'm banging my head against the wall
with one in particular.  Here is what I'm currently working on:

alert udp any any -> any 53 (msg:"OpenVPN_P_CONTROL_HARD_RESET_CLIENT_V2";
byte_test:1,=,0x38,0,bitmask 0xF8; classtype:not-suspicious; sid:1; rev:1;)

The byte that I am trying to test against is the very first byte in the
beginning of the payload (right after the UDP header), byte 0.  Much like
DNS, this byte contains multiple values.  In this case, this contains two
values for the protocol.  The first five bits corresponds to an opcode, and
the last three bits corresponds to a key value.  So with 0x38, we have:

0011 1000

The first five bits have to be:

0011 1XXX - opcode of 7

I am trying to write the signature to fire regardless of what the last 3
bits are (any key) as long as the opcode is 7.  To do this, I tried:

byte_test:1,=,0x38,0;  -- This works if the opcode is 7 and the key is 0.
byte_test:1,=,0x38,0,bitmask 0xF8 -- This doesn't work at all.
byte_test:1,!&,0xc7,0; -- This fires on multiple opcodes.

My understand is that with the "bitmask 0xF8" option, it should do a
bitwise AND operation using 0xF8 before evaluating the equality portion of
the byte_test, which should drop off the last 3 bits and keep the first 5
bits exactly and then making sure they equal 0x38, but for some reason, it
doesn't work


I am testing this using Snort v2.9.9.0 GRE (Build 56) compiled from source.

Any assistance would be greatly appreciated.


Warm Regards,

Damian Torres

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: