Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems with the ordering inside the rules

From: Brian <bmc () snort org>
Date: Thu, 6 Nov 2003 15:08:25 -0500
On Tue, Oct 28, 2003 at 11:21:25AM +0100, Sergio Talens-Oliag wrote:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow 
attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: 
attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: 
to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;)

  So, our question is:
  
    Is there a strict ordering needed in the content attributes or not?



YES.  The above rules will not do what you expect.

    content: !"|0a|"; within: 10; content: "TOP"; nocase; 

The first content looks for \n within 10 bytes relative to the end of the 
previous content.  In this case, the previous content doesn't exist.  These 
options need to be ordered as:
    
    content: "TOP"; nocase; content: !"|0a|"; within: 10; 

-brian


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: