Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible Cerber False Negative

From: Kevin Ross <kevross33 () googlemail com>
Date: Wed, 7 Dec 2016 15:38:39 +0000
Hi,

Looking at rule 38885 I don't think it would hit messages like hi008c1030
which I see from Cerber analyis of sample md5
39594fb96583d261ef4fcc1d76efc84c.

The reason being primarily that dsize is set to 9 in the rule when this is
10 bytes long in these payloads. Pcre regex sets the hex to {6} but this
would be fine without dsize although in this case it will be 7 rather than
6 bytes.

Kind Regards,
Kevin Ross

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: