[Emerging-Sigs] chrome rdp

Rich Rumble richrumble at gmail.com
Fri Oct 14 15:37:36 EDT 2011


Ok I need a refresher... I've gone over and over
http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
But so far I'm only getting a solid match for the first part of my
content, adding in the second
and no matter the distance/depth/offset/within I'm trying to use, it fails.
This is against snort 2.9.x btw.

The Raw packet is attached for more detail.

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming
Chromoting Detected"; flow:to_server,established; content:"|63 68 72
6F 6D 6F 74 69 6E 67 30|"; distance:170; content:"|63 68 72 6F 6D 6F
74 69 6E 67 30|"; distance:40; reference:url,xinn.org/Chromoting.html;
sid:999999900;)

How would one match content that appears twice in a packet, skipping
what is in the
middle of the matches...(the stuff in-between varies in value, but so
far not length)


000000a0h: 30 15 31 13 30 11 06 03 55 04 03 13 0A 63 68 72 ; 0.1.0...U....chr
000000b0h: 6F 6D 6F 74 69 6E 67 30 1E 17 0D 31 31 31 30 31 ; omoting0...11101
000000c0h: 34 31 38 32 32 32 34 5A 17 0D 31 31 31 30 31 35 ; 4182224Z..111015
000000d0h: 31 38 32 32 32 34 5A 30 15 31 13 30 11 06 03 55 ; 182224Z0.1.0...U
000000e0h: 04 03 13 0A 63 68 72 6F 6D 6F 74 69 6E 67 30 82 ; ....chromoting0‚
-rich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: incomming-udp-005.raw
Type: application/octet-stream
Size: 812 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111014/f766572d/incomming-udp-005.obj


More information about the Emerging-sigs mailing list