Re: [Snort-devel] is offset subtracted from depth?

From: Brian <bmc(at)snort.org>
Date: Mon Mar 15 2004 - 16:04:51 EST

On Wed, Mar 03, 2004 at 09:46:09PM +0000, Jason Lunz wrote:
> alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4; depth:20;)

This is correct.

> else /* otherwise just use the offset (validated by calling function) */

Yep. I'll attempt to illustrate whats going on inside of snort without explaining how pointers and pointer math work. Lets start with the buffer below.

    GET /cgi-bin/phf?attack=/bin/sh HTTP/1.0     0123456789012345678901234567890123456789

The way the pattern match code works is we pass a buffer to be checked, and the length of the buffer.

When you use "depth:5;", while evaluating the current pattern, treat the buffer as 5 bytes long. We end up with this:

    GET /
    01234

When you use "offset:5;", while evaluating the current pattern, we set the start of the pattern 5 bytes into the pattern. We end up with this:     

    cgi-bin/phf?attack=/bin/sh HTTP/1.0
    56789012345678901234567890123456789

So our pattern is now 5 bytes shorter. The code above shrinks the temporary length of the buffer by how much we are skipping. If we didn't do this, we would end up reading arbitrary memory, would would be very bad. (This is what the code above is doing)

When you use "depth:5; offset:5;", while evaluating the current pattern, we set the start of the pattern 5 bytes into the pattern, then treat the buffer as 5 bytes long. We end up with:     

    cgi-b
    56789

Brian

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Mar 15 16:49:52 2004