Home page logo
/

snort logo Snort mailing list archives

SMTP content-type overflow rule question
From: Bobby Venal <bobby.venal () gmail com>
Date: Fri, 3 Dec 2010 11:27:21 -0700

Hi all,

An organization I work with had an older version of the 'SMTP
Content-Type overflow' rule in place; it was using this PCRE:

"/^Content-Type\x3A[^\x0d\x0a]{300,}$/im"

I noticed that the current version is this:

"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"

And I just wanted to make sure I understood one of the differences.
Am I correct in thinking that:

{300,}$ means "at least 300 occurrences of the preceding character
class, then end-of-line
and
{300} mean "exactly 300 occurrences of the preceding character class"

------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault