Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Interpretation of "offset" in context of "uricontent"

from [Jason] Network Security [Permanent Link]
Subject: Re: [Snort-users] Interpretation of "offset" in context of "uricontent" keyword
Date: Sat, 07 Jan 2006 17:41:40 -0500 
Why not try it on a request and see

alert tcp any any -> any 80 (msg:"offset 0 and uricontent test";
uricontent:"/s/ap"; offset:0; sid:1000000; rev:1; )

alert tcp any any -> any 80 (msg:"offset 20 and uricontent test";
uricontent:"/ap_on_go_pr_wh"; offset:20; sid:1000001; rev:1; )

alert tcp any any -> any 80 (msg:"offset 10 and uricontent test";
uricontent:"/ap_on_go_pr_wh"; offset:10; sid:1000002; rev:1; )

alert tcp any any -> any 80 (msg:"offset 25 and uricontent test";
uricontent:"/eavesdropping_ap_poll"; offset:25; sid:1000003; rev:1; )

then get

http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll

WARNING: spoiler at the bottom of the mail.

Intru Defender wrote:

Hi All,
I am reposting this question in the hope of getting some replies:

======================================================================
I need a little clarification about interpretation of "offset" modifier
in conjuction with "uricontent" keyword.

Does Snort treats "offset" differently in case of "uricontent" keyword?

Does in case of "uricontent" keyword, snort treat "offset:0" from the
start of URI, and, not from the start of the payload?

The snort manual says that the "offset" tells how many bytes to skip
before starting looking for the specified "content" keyword and "offset"
is calculated from the start of payload. For example:

content: ".html"; offset:4; would mean start looking for ".html" after 4
bytes.

However, in case of "uricontent" keyword, will uricontent: ".html";
offset:0; depth:5; would mean start looking for start of URI and in next
5 characters? Or it will mean, start looking for ".html" in first 5
bytes of payload.

Any help will be highly appricated.

Thanks,

Intru Defender



<http://adworks.rediff.com/cgi-bin/AdWorks/sigclick.cgi/www.rediff.com/signature-home.htm/1507191490@Middle5?PARTNER=3>



Nice to include remote images as a sigline served from anything with
"adworks" in the name. Cross posted to two security related mailing
lists at that. Most people generally frown upon that kind of behavior.

$ sudo src/snort -c etc/snort.conf -l /tmp -A console -k none -i eth0

$ wget
http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll


01/07-17:35:55.123525  [**] [1:1000003:1] offset 25 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/07-17:35:55.123525  [**] [1:1000002:1] offset 10 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/07-17:35:55.123525  [**] [1:1000000:1] offset 0 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Interpretation of "offset" in context of "uricontent" keyword, Intru Defender
Next by Date:  [Snort-users] Flow Established Help, Ramon L. Fernandez
Previous by Thread:  [Snort-users] Interpretation of "offset" in context of "uricontent" keyword, Intru Defender
Next by Thread:  [Snort-users] Flow Established Help, Ramon L. Fernandez
Indexes:  [Date] [Thread] [Top] [All Lists]