Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problem with Rules

From: "John Davey" <john () davey net au>
Date: Sun, 5 Aug 2001 18:53:36 +0930
Using the latest tarball from www.snort.org

Why does this rule fail,

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \ 
(msg:"WEB-IIS ISAPI CodeRedII Worm-21"; \ 
uricontent:"|58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63|"; \
offset: 240; depth: 16;  dsize:>260; flags:A+; reference:arachnids,552; \
classtype:attempted-admin; sid:1000001; rev:1;)

and this rule succeed????

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-IIS ISAPI CodeRedII Worm-20"; \
uricontent:"|58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63|"; \
offset: 240; depth: 16; dsize:>450; flags:A+; reference:arachnids,552; \
classtype:attempted-admin; sid:1000001; rev:1;)

Note the second rule (one that works) has a bigger 'dsize:>450' but this
should not be nessacary 260 should be big enough.


Regards John 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: