parsed_type
Use the parsed_type
keyword to match a packet or session attribute that can be identified by the dissectors. A signature can have more than one --parsed_type
keyword.
Syntax:
--parsed_type <type>;
<type> |
Description |
---|---|
|
These types are used to identify the SSL and TLS versions. |
|
These match sessions using the SOCKS 4 or SOCKS 5 proxy protocols. |
|
The HTTP request method to be matched is GET. This is valid for the lifetime of the request. In most cases, a signature using --service HTTP; --parsed_type HTTP_GET; can replace a pattern-based signature like this: --service HTTP; --pattern "GET|20|" context uri; --within 4,context; However, sometimes the GET string must be checked explicitly:
|
|
The HTTP request method to be matched is POST. This if valid for the lifetime of the request. |
|
The Transfer-Encoding type of the HTTP request to be matched is chunked. This is valid for the lifetime of the request. In most cases, a signature using the --parsed_type HTTP_CHUNKED; can replace one that looks for strings, like this: --service HTTP; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; --no_case; --distance 1; |
Examples:
--parsed_type HTTP_POST;
--parsed_type HTTP_GET;
The following are two versions of the same HTTP signature. The second one is faster and more accurate.
F-SBID ( --name "FrontPage.FP30reg.Chunked.Overflow"; --protocol tcp; --service HTTP; --flow from_client; --pattern "POST"; --context uri; --distance 0,context; --within 5,context; --pattern "/vti_bin/vti_aut/fp30reg.dll"; --context uri; --no_case; --distance 0; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; no_case: --distance 1; )
F-SBID ( --name "FrontPage.FP30reg.Chunked.Overflow"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_POST; --pattern "/vti_bin/_vti_aut/fp30reg.dll"; --context uri; --no_case; --parsed_type HTTP_CHUNKED; )
The following two SSL signatures detect the same vulnerability. The second signature is better.
F-SBID( -name "SSL.PCT.Overflow"; --protocol tcp; --dst_port 443; --flow from_client; --tag test,!Tag.SSLv3.Web.443; --tag test,!Tag.SSLv2.Web.443; --tag test,!Tag.TLSv1.Web.443; --pattern "|01|"; --within 1,packet; --distance 2,packet; --byte_test 2,>,1,3; --byte_test 2,<,0x301,3; --byte_test 2,>,0,5; --byte_test 2,!,0,7; --byte_test 2,<,16,7; --byte_test 2,>,16,9; --byte_test 2,<,33,9; --pattern "|8F|"; --within 1,packet; --distance 11,packet; --byte_test 2,>,32768,0,relative; --data_size >300; )
F-SBID( --name "SSL.PCT.Overflow"; --protocol tcp; --flow from_client; --service SSL;--parsed_type SSL_PCT;--pattern "|01|"; --within 1,packet; --distance 2,packet; --byte_test 2,>,1,3; --byte_test 2,<,0x301,3; --byte_test 2,>,0,5; --byte_test 2,!,0,7; --byte_test 2,<,16,7; --byte_test 2,>,16,9; --byte_test 2,<,33,9; --pattern "|8F|"; --within 1,packet; --distance 11,packet; --byte_test 2,>,32768,0,relative; --data_size >300; )