Examine the correctness of filter

CS Lee geek00l at gmail.com
Tue Dec 12 08:46:02 EST 2006 

Carter,

I don't have problem with it but just learn to read it properly, I'm
wondering why it is 31 as well, as it should be 3 where the quantifier
located instead.

Thanks.

On 12/12/06, carter at qosient.com <carter at qosient.com> wrote:
>
> Hey CS,
> The second statement is " and immediate 31 " but it looks like it should
> be " and immediate 3 ", instead.
>
> Are you having problems?
>
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: "CS Lee" <geek00l at gmail.com>
> Date: Tue, 12 Dec 2006 19:07:40
> To:"Carter Bullard" <carter at qosient.com>
> Cc:Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Examine the correctness of filter
>
> Carter,
>
>   ra -b - tcp
> (000) ldb [142]
> (001) and #31
> (002) jeq #0x1 jt 3 jf 5
> (003) ldb [152]
> (004) jeq #0x6 jt 8 jf 9
> (005) jeq #0x2 jt 6 jf 9
> (006) ldb [179]
> (007) jeq #0x6 jt 8 jf 9
> (008) ret #96
> (009) ret #0
>
> It looks to me that it loads one-byte quantity at an offset of 142.
>
> 001 - Get to 31st byte
> 002 - Compare and see whether it is 0x1, if it is, that's IPv4(quantifier)
> and jump to instruction 003, if it is not, jump to instruction 005.
> 003 - Load one-byte quantity at an offset of 152
> 004 - Compare and check if it is 0x6(trans proto is tcp for ip), if it is
> then jump to instruction 008, if it is not then jump to instruction 009
> 005 - Compare and check if it is 0x2 which is IPv6(quantifier) and jump to
> instruction 006 or if it is not then jump to instruction 009
> 006 - Load one-byte quantity at an offset of 179
> 007 - Compare and check if it is 0x6(trans proto is tcp for ipv6), if it
> is then jump to 008 or else jump to 009.
> 008 - Return 96 bytes
> 009 - Return nothing
>
> Carter, correct me if i'm wrong as I'm not fully understand all the
> diagram in argus_def.h file yet. Thanks.
>
>
>
> On 12/12/06, Carter Bullard <carter at qosient.com: <mailto:
> carter at qosient.com> > wrote:
> Hey CS,
> Sorry I didn't respond.
> The Argus record is defined in ./include/argus_out.h and
> ./include/argus_def.h.
> Carter
>
>
>
>
>
>
>
>
> On Dec 3, 2006, at 8:17 PM, CS Lee wrote:
> Hey people,
>
> While reading ra -b output, I come across this -
>
> ra -b - tcp
> (000) ldb [142]
> (001) and #31
> (002) jeq #0x1 jt 3 jf 5
> (003) ldb [152]
> (004) jeq #0x6 jt 8 jf 9
> (005) jeq #0x2 jt 6 jf 9
> (006) ldb [179]
> (007) jeq #0x6 jt 8 jf 9
> (008) ret #96
> (009) ret #0
>
> While this seems not so complicated, however is there any reference of
> argus data format that I can refer such as the one shown in tcpdump -d which
> the correctness of filter can be confirmed by looking at the packet headers.
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>




-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061212/bc4cddbf/attachment.html>

More information about the argus mailing list