Snort mailing list archives
complicated snort rule interpretation.
From: "Rong-Tai Liu" <tie () totoro cs nthu edu tw>
Date: Fri, 27 May 2005 16:39:06 +0800
Hello, I'm trying to interpret the following signature but keep failing :-( Does anyone know how the snort kernel process the following signature? When the engine find the content "|07|", why it needs a "within" and "depth" for the following byte_jump? How could this byte_jump happens in a range, not an exact location? Thanks a lot. alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:237); BRs, Terry.
Current thread:
- complicated snort rule interpretation. Rong-Tai Liu (May 27)
- Re: complicated snort rule interpretation. Matt Kettler (May 27)