Snort mailing list archives
Re: rules keyword
From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 8 Jan 2003 10:14:20 -0800
At 6:48 PM +0100 1/8/03, Patrice Boulanger wrote:
Hi, Someone can tell me what the "within" keyword in the following rule means : alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS "; nocase; content:!"|0a|"; within:50; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;) I have read the doc but there is nothing about this. I use a snort v1.9 and my rules set comes directly from snort.org. These rules are attempted to be use with this version (as indicated on the web site).
It is limiting the search scope for "|0a|" (a line feed) to the first 50 bytes of the application layer. The absence of this in the context of a PASS might indicate an attempt to overflow a buffer with a long password.
Kind regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules keyword Patrice Boulanger (Jan 08)
- Re: rules keyword Erek Adams (Jan 08)
- Re: rules keyword James Hoagland (Jan 08)
- RE: rules keyword Patrice Boulanger (Jan 08)