Snort 1.9 "within:" option broken?

[Carl Gibbons <cgibbons () du edu>]

(If snort-users () lists sourceforge net isn't the correct forum for
this kind of query, please let me know.  - Carl)

Is the "within" option in Snort 1.9 sigatures working properly?

For example, in this rule in imap.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow at tempt"; flow:established,to_server; 
content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:1024; reference:nessus,10292; reference:cve,CVE-1999-0042; 
classtype:misc-attack; sid:1844; rev:4;)

I read the options
  content:!"|0a|"; within:1024;
as
  "match if 0x0a (newline) does not appear in the
   first 1024 bytes of the payload."

Nevertheless, this rule just alerted on a packet with the following payload:

32 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 70  2 authenticate p
6C 61 69 6E 0D 0A                                lain..

Maybe I'm reading the option wrong, and it really gets parsed as
"match if anything other than a newline appears in the first 1024
bytes of payload."  If so, the signature, and all overflow
signatures in imap.rules, yield too many false positives to be
useful.

- Carl



-------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
allow you to extend the highest allowed 128 bit encryption to all your 
clients even if they use browsers that are limited to 40 bit encryption. 
Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users