P. 1
Snort Manual

Snort Manual

|Views: 35|Likes:
Published by tigerbt

More info:

Published by: tigerbt on Nov 18, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/07/2011

pdf

text

original

The byte extract keyword is another useful option for writing rules against length-encoded protocols. It reads in some number of bytes from the
packet payload and saves it to a variable. These variables can be referenced later in the rule, instead of using hard-coded values.

△!

NOTE

Only two byte extract variables may be created per rule. They can be re-used in the same rule any number of times.

161

Format

byte_extract: , , \

[,relative] [,multiplier ] [,big] [,little] [,dce]\

[,string] [,hex] [,dec] [,oct] [,align ]

Option

Description

bytes to convert

Number of bytes to pick up from the packet

offset

Number of bytes into the payload to start processing

name

Name of the variable. This will be used to reference the variable in other rule options.

relative

Use an offset relative to last pattern match

multiplier Multiply the bytes read from the packet byand save that number into the variable.

big

Process data as big endian (default)

little

Process data as little endian

dce

Use the DCE/RPC 2 preprocessor to determine the byte-ordering. The DCE/RPC 2 preprocessor must
be enabled for this option to work.

string

Data is stored in string format in packet

hex

Converted string data is represented in hexadecimal

dec

Converted string data is represented in decimal

oct

Converted string data is represented in octal

align

Round the number of converted bytes up to the next-byte boundary. may be 2
or 4.

Other options which use byte extract variables

A byte extract rule option detects nothing by itself. Its use is in extracting packet data for use in other rule options. Here is a list of places where

byte extract variables can be used:

Rule Option Arguments that Take Variables

content

offset, depth, distance, within

byte test

offset, value

byte jump

offset

byte extract offset

isdataat

offset

Examples

This example uses two variables to:

• Read the offset of a string from a byte at offset 0.

• Read the depth of a string from a byte at offset 1.

• Use these values to constrain a pattern match to a smaller area.

alert tcp any any -> any any (byte_extract: 1, 0, str_offset; \

byte_extract: 1, 1, str_depth; \

content: "bad stuff"; offset: str_offset; depth: str_depth; \

msg: "Bad Stuff detected within field";)

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->