Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rules keyword

From: Erek Adams <erek () snort org>
Date: Wed, 8 Jan 2003 12:58:27 -0500 (EST)
On Wed, 8 Jan 2003, Patrice Boulanger wrote:


Someone can tell me what the "within" keyword in the following rule means :

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

I have read the doc but there is nothing about this. I use a snort v1.9 and
my rules set comes directly from snort.org. These rules are attempted to be
use with this version (as indicated on the web site).



From our Benovelent Dictator for Life:


        http://marc.theaimsgroup.com/?l=snort-users&m=103334784719103&w=2

'The "distance" keyword gives you a relative offset from the end of the
last match, so it basically acts as a wildcarding mechanism.  You can also
use the new "within" keyword to limit how deep into the packet from the
end of the distance it'll search before it stops.'

So, I read that rule as 'Find the content "PASS" without a 0A (hex) within
50 bytes of "PASS" '.

Hope that helps!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: