Snort mailing list archives
Problem with Rules
From: "John Davey" <john () davey net au>
Date: Sun, 5 Aug 2001 18:53:36 +0930
Using the latest tarball from www.snort.org Why does this rule fail, alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \ (msg:"WEB-IIS ISAPI CodeRedII Worm-21"; \ uricontent:"|58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63|"; \ offset: 240; depth: 16; dsize:>260; flags:A+; reference:arachnids,552; \ classtype:attempted-admin; sid:1000001; rev:1;) and this rule succeed???? alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \ (msg:"WEB-IIS ISAPI CodeRedII Worm-20"; \ uricontent:"|58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63|"; \ offset: 240; depth: 16; dsize:>450; flags:A+; reference:arachnids,552; \ classtype:attempted-admin; sid:1000001; rev:1;) Note the second rule (one that works) has a bigger 'dsize:>450' but this should not be nessacary 260 should be big enough. Regards John _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with Rules John Davey (Aug 05)