Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

ASN.1 Keywords

The ASN.1 keywords provide programmatic detection capabilities as well as some more dynamic type detection. Most of the keywords don't have arguments as the detection is looking for non-configurable information. If a keyword does have an argument, the keyword is followed by a comma and the argument is the next word. If a keyword has multiple arguments, then a comman separates each.

81.

bitstring_overflow

The bitstring_overflow option detects invalid bitstring encodings that are known to be remotely exploitable.

82.

double_overflow

The double_overflow detects a double ASCII encoding that is larger than a standard buffer. This is known to be an exploitable function in Microsoft, but it is unknown at this time which services may be exploitable.

83.

oversize_length

This detection keyword compares ASN.1 type lengths with the supplied argument. The syntax looks like, ``oversize_length 500''. This means that if an ASN.1 type is greater than 500, then this keyword is evaluated as true. This keyword must have one argument which specifies the length to compare against.

84.

absolute_offset

This is the absolute offset from the beginning of the packet. For example, if you wanted to decode snmp packets, you would say ``absolute_offset, 0''. absolute_offset has one argument--the offset value. Offset may be positive or negative.

85.

relative_offset

This is the relative offset from the last content match or byte_test/jump. relative_offset has one argument--the offset number. So if you wanted to start decoding and ASN.1 sequence right after the content ``foo'', you would specify 'content:"foo"; asn1: bitstring_overflow, relative_offset, 0'. Offset values may be positive or negative.

Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.