Snort mailing list archives

Re: rules keyword

From: James Hoagland <hoagland () SiliconDefense com>
Date: Wed, 8 Jan 2003 10:14:20 -0800

At 6:48 PM +0100 1/8/03, Patrice Boulanger wrote:

Hi,

Someone can tell me what the "within" keyword in the following rule means :

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

I have read the doc but there is nothing about this. I use a snort v1.9 and
my rules set comes directly from snort.org. These rules are attempted to be
use with this version (as indicated on the web site).

It is limiting the search scope for "|0a|" (a line feed) to the first50 bytes of the application layer. The absence of this in thecontext of a PASS might indicate an attempt to overflow a buffer witha long password.


Kind regards,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rules keyword Patrice Boulanger (Jan 08)
- Re: rules keyword Erek Adams (Jan 08)
- Re: rules keyword James Hoagland (Jan 08)
  - RE: rules keyword Patrice Boulanger (Jan 08)