SNORT – Content Modifier – Offset

In the last post, I explained how content keyword is used to detect a pattern within the payload of a packet. There are numerous modifiers that can be used in conjunction with the keyword to modify pattern matching behaviours. In this post, we will discuss Offset keyword. Offset indicates the starting byte for pattern matching. For example, offset of 3 indicates SNORT to look for the specific pattern after the first 3 bytes of the payload, ignoring the first 3 bytes.

The rule from the previous post will be modified with offset keyword. After examining the packet capture, we noticed that the pattern is starting after the first 13 bytes of the payload. To reflect this in the rule, offset of 13 will be applied along with Content keyword and the pattern, as highlighted in the screencap below.

The final rule is as below.

alert udp any any -> any 53 (msg:”Youtube - DNS Query” ; content:"|77 77 77 07 79 6f 75 74 75 62 65 03 63 6f 6d|"; offset:13 ; sid:1000002)

Result as expected when youtube is browsed.

02/07-23:46:15.853093 [**] [1:1000002:0] ”Youtube - DNS Query” [**] [Priority: 0] {UDP} 99.234.115.36:31551 -> 8.8.8.8:53

It is important to note that, if the offset value is overlapping with the pattern we are trying to detect. In other words, if the offset value is greater than the actual location of the pattern, SNORT will start searching from the location where pattern will not be detected. In our example, if we specify an offset value of 14 instead of 13, SNORT will start searching after the first byte of our pattern.

 

Mihir

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.