[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Question regarding content of a rule
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists ! snort ! org>
Date: 2020-07-27 13:52:44
Message-ID: 9A6D57BF-3CBD-4604-B560-72A81B6F6235 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
This rule has been deleted, however.
Digits in between pipes (for instance below |09|) is looking for 09 in hex, not \
ascii.
Since this is a DNS lookup, |09| is the number of bytes in the next sequence \
"tiptronic".
> On Jul 27, 2020, at 7:37 AM, Matej Lietava via Snort-sigs \
> <snort-sigs@lists.snort.org> wrote:
> Hi guys,
>
> Sorry I am quite new to snort and I have been checking our the various rules that \
> are in the snort3 rules file.I am writing my on rule parser and small detection \
> engine that will work off of the snort rules. I have been trying to understand the \
> rule options but I am quite confused when it comes to some of the content options. \
> Some of the signatures are just byte code indicated by |. I understand that but I \
> don't understand what it means when there are strings and bytecode in the same \
> content signature such as for rule SID: 32385 where it is content: \
> "|09|tiptronic|04|soxx|02|us|00|". DOes this mean that the byte code 0x09 will be \
> first and then immediately after the string tiptronic? I am very confused in \
> understanding how the signature works when there are bytecode and strings together. \
> Thank you.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org <mailto:Snort-sigs@lists.snort.org>
> https://lists.snort.org/mailman/listinfo/snort-sigs \
> <https://lists.snort.org/mailman/listinfo/snort-sigs>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news \
> about Snort!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette \
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, \
> make sure to stay up to date to catch the most <a href=" \
> https://snort.org/downloads/#rule-downloads \
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class="">This rule has been deleted, however.<div \
class=""><br class=""></div><div class="">Digits in between pipes (for instance below \
|09|) is looking for 09 in hex, not ascii.</div><div class=""><br class=""></div><div \
class="">Since this is a DNS lookup, |09| is the number of bytes in the next sequence \
"tiptronic".<br class=""><div><br class=""><blockquote type="cite" class=""><div \
class="">On Jul 27, 2020, at 7:37 AM, Matej Lietava via Snort-sigs <<a \
href="mailto:snort-sigs@lists.snort.org" class="">snort-sigs@lists.snort.org</a>> \
wrote:</div><br class="Apple-interchange-newline"><div class=""><div \
style="font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;" \
class="">Hi guys,</div><div style="font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; font-family: Calibri, \
Helvetica, sans-serif; font-size: 12pt;" class=""><br class=""></div><div \
style="font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;" \
class="">Sorry I am quite new to snort and I have been checking our the various rules \
that are in the snort3 rules file.I am writing my on rule parser and small detection \
engine that will work off of the snort rules. I have been trying to understand the \
rule options but I am quite confused when it comes to some of the content options. \
Some of the signatures are just byte code indicated by |. I understand that but I \
don't understand what it means when there are strings and bytecode in the same \
content signature such as for rule SID: 32385 where it is content: \
"|09|tiptronic|04|soxx|02|us|00|". DOes this mean that the byte code 0x09 will be \
first and then immediately after the string tiptronic?</div><div style="font-style: \
normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; \
text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; \
font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;" class="">I am very \
confused in understanding how the signature works when there are bytecode and strings \
together.</div><div style="font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; font-family: Calibri, \
Helvetica, sans-serif; font-size: 12pt;" class=""><br class=""></div><div \
style="font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;" \
class="">Thank you.</div><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">_______________________________________________</span><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none; float: none; display: inline !important;" class="">Snort-sigs \
mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><a href="mailto:Snort-sigs@lists.snort.org" \
style="font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: \
auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px;" class="">Snort-sigs@lists.snort.org</a><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><a href="https://lists.snort.org/mailman/listinfo/snort-sigs" \
style="font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: \
auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px;" \
class="">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Please visit<span \
class="Apple-converted-space"> </span></span><a href="http://blog.snort.org/" \
style="font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: \
auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px;" class="">http://blog.snort.org</a><span \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; \
float: none; display: inline !important;" class=""><span \
class="Apple-converted-space"> </span>for the latest news about Snort!</span><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Please follow these rules:<span \
class="Apple-converted-space"> </span></span><a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" style="font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" \
class="">https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline \
!important;" class="">Visit the<span \
class="Apple-converted-space"> </span></span><a href="http://snort.org/" \
style="font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: \
auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px;" class="">Snort.org</a><span style="caret-color: \
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: \
inline !important;" class=""><span class="Apple-converted-space"> </span>to \
subscribe to the official Snort ruleset, make sure to stay up to date to catch the \
most <a href="<span class="Apple-converted-space"> </span></span><a \
href="https://snort.org/downloads/#rule-downloads" style="font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" \
class="">https://snort.org/downloads/#rule-downloads</a><span style="caret-color: \
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: \
inline !important;" class="">">emerging \
threats</a>!</span></div></blockquote></div><br class=""></div></body></html>
["smime.p7s" (smime.p7s)]
0� *H
��� 0���1�0
� `H�e������0� *H
����� �0�n0�V �����
a�m������0
� *H
�����051�0���U�
�
Cisco Systems1�0���U����Cisco Root CA 20480��
140404202418Z�
290514202542Z0,1�0���U�
��Cisco1�0���U����Cisco Employee CA0�"0
� *H
���������0�
����~�LS�#Vƹe
�LEg���m_7*{�Pɿ=/<��5︥QNٰS ,,e�ok_@
PD�MLF�H�c'��n�Ce�/}Y]�,}DR \
�Y�1BB9'ӁbT,&=�Ш�(�<MLK�l�q2$a�qh?wS~�s�Wt^ \
4���uT_,��ewR"w������0�0�� +����7�������0���U������6]K \
)CQ�Q0�� +����7����� \
�S�u�b�C�A0���U�������0���U������0������0���U�#��0��'��n� �+ \
`_{/0C��U���<0:08 6 \
42http://www.cisco.com/security/pki/crl/crca2048.crl0P��+��������D0B0@��+�����0�4http://www.cisco.com/security/pki/certs/crca2048.cer0\��U� \
�U0S0Q� +���� ����0C0A��+��������5http://www.cisco.com/security/pki/policies/index.html0
� *H
���������>N#�F�^kۊ�4�c�<&]p$`^슄d.�Y�g��M}D#(�Dm!T(laeP�@*n�>��q�I2KJX�L6/
8]TyʅRVw
�!N$2�⾥q-N7/VhFGEk]P%:)AS~W1*gSuw!:Gi'qzs/}ͦx(eÉw^B� \
�1yv:Av AP� )� o��?"?F0� 0� �����
��h08J+0
� *H
�����0,1�0���U�
��Cisco1�0���U����Cisco Employee CA0��
181121000000Z�
201120001000Z01�0���U����Joel Esler (jesler)1�0���U����Cisco \
Users1�0���U��� Employees1�0�� &,d����com1�0��
&,d����cisco1�0�� *H
� ���jesler@cisco.com0�"0
� *H
���������0�
����X|`D2\I%B̸[eeqB�!;m�>X^�v�2^� 0(!�Q}o
!F@�<�Y
8be|���YO;W6m"AN6hCK
;�MU 2G�\H���0wWIǦ2#ʓ*rG=g.��L"@B<K>�vAi*)=j�Mn?C�3:ޛ0R2ۏ�ݍn(LT�.}�Vn�̢
������X0�T0���U���������0���U������0�0z��+��������n0l0<��+�����0�0http://www.cisco.com/security/pki/certs/ceca.cer0,��+�����0� \
http://pkicvs.cisco.com/pki/ocsp0���U�#��0��6]K )CQ�Q0:��U���3010/ - \
+)http://ciscocerts.cisco.com/file/ceca.crl0���U����0��jesler@cisco.com0���U������4�Kh��c"𥕑�0���U�%��0��
+����7
����+�������0
� *H
���������7%r3}RG5{Rz8J�̅W7n3� \
�蛭�/R�ڢ�~T1-IF}B.hB�,gEk /�ZlCuvfOs!% \
x�ofoc]O.ur�MK#4ˉj*X;!%�?m��)DTjJ!h�dR!{i0'UЪu \
�>@} |`]%)��fC���]2ˇkU��J�GZuzuҹY�ŪJ#��_{�1�j0�f���0:0,1�0���U�
��Cisco1�0���U����Cisco Employee CA�
��h08J+0
� `H�e������ ��0�� *H
� �1�� *H
���0�� *H
� �1��
200727135244Z0/� *H
� �1"� T2ӫ�|,",Uw-{dt#ō�y0I� +����7��1<0:0,1�0���U�
��Cisco1�0���U����Cisco Employee CA�
��h08J+0K��*H
� ���1< :0,1�0���U�
��Cisco1�0���U����Cisco Employee CA�
��h08J+0
� *H
��������Mb�8��s4
Vo ��K|9� :�af ZYNG/�>�.M�W3.�NY]AKU~��r \
�l>47&i�<u1IR.f�+s<�t_֭T:1C1E-72eT�u�Y�(JƆ0�s<�v \
7bhGώdZ�i^NTe/hB~8@;C�\滒��WBQ`Po0~swV$,������
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
--===============2185287688724822870==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic