Answers inline
On Mon, Jul 31, 2006 at 05:15:00PM -0400, Al Roethlisberger sent me:
Although documented at:
http://www.snort.org/docs/snort_htmanuals/htmanual_233/node21.html#SECTION00457000000000000000
The "within" command seems a little confusing if used with the
"distance" command, which I have seen before in
some custom rules.
The purpose of offset/depth is to use them for the first content match.
distance/within is for content matches that are relative to the previous
content match.
You can use multiple offsets and depths in one rule, however you have to
remember, that everytime you use the 'offset' keyword, the counter starts a
byte 0. Or the first data byte after the headers.
So if I wrote a rule like: content:"ABC"; offset:0;
depth:3; content:"DEF"; offset:3; depth:3; See how the offset starts back over
at the beginning?
If I wrote the same rule using distance/within: content:"ABC": offset:0;
depth:3; content:"DEF"; distance:0; within:3; Make sense? (now, there is no
point in writing offset:0; for the first content match.)
So, for example, if one has a rule such as:
content:"|XYZ|"; depth:3; content:"|1|"; distance:8; depth:1;
content:"|2|"; distance:4; depth:1;
content:"|XYZ|"; depth:3; content:"|1|"; distance:8; within:1; content:"|2|";
distance:4; within:1; <-- is the correct re-write of the above.
If you are using distance, you need to use within, not depth.
How this would read is "XYZ" in the first three bytes of the packet, then, move
8 bytes from the end of the Z in "XYZ" and look for "|1|", for one byte, then,
after that one byte, move 4 more bytes, and look for a "|2|" for one byte.
Now, say... your last within was a "4" instead of a 1, it wouldn't look for
just the "|2|" for one byte, the "|2|" could be anywhere 'within' the next four
bytes, after moving the distance of 4 relative to the previous content match.
Hope that helps.
Just remember two words: Unique, and specific. Make you rules Unique, so as
to avoid false positives, and specific, not only to avoid false positives, but
to be fast. Create the biggest content matches you can. So instead of looking
for "ABC" and "DEF" in two seperate content matches. If you know ABC and DEF
are always going to be sandwitched next to each other like "ABCDEF", then write
content:"ABCDEF"; depth:6; The rule engine will optimize this one better.
+---------------------------------------------------------------------+
Joel Esler Senior Security Consultant 1-706-627-2101
Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key: http://demo.sourcefire.com/jesler.pgp.key
AIM:eslerjoel YMSG:eslerjoel Gtalk:eslerj
+---------------------------------------------------------------------+
pgp9G9l5NX2Zt.pgp
Description: PGP signature
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
