[Snort-devel] Problems with distance attribute in 1.9

Russell Fulton r.fulton at ...1343...
Sun Aug 18 15:06:01 EDT 2002


Below is a note I posted to the sigs list recently.  Now that I have
found out what distance is supposed to do I now assert that it isn't
working properly in build 184.  

Please reply direct to me as I am not on the developers list.

Russell

Hi,
 I am running snort 1.9.0beta2 (Build 184) and I am getting lots of
false positives on some new rules.  I an not sure if this is a problem
with the rules or a problem with snort.  I notice this rule use
'distance' which I can't find in the documentation, persumably
another new feature in 1.9.  

Anyway what I have done here is to list the rule and a packet capture or
two, that I believe to be a false positive:  

Hmmmm.. is the position of distance in the rule important?  i.e. should
the distance actually be between the two content: that it refers to?

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
msg:"EXPERIMENTAL IMAP list overflow attempt";
flow:established,to_server; 
content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024; 
reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)

[**] EXPERIMENTAL IMAP list overflow attempt [**]
08/12-22:33:16.631443 210.54.139.26:49157 -> 130.216.191.126:143
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:251
***AP*** Seq: 0x44BD503C  Ack: 0x331892FB  Win: 0x16D0  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
0x0010: 00 FB 00 00 00 00 F0 06 00 00 D2 36 8B 1A 82 D8  ...........6....
0x0020: BF 7E C0 05 00 8F 44 BD 50 3C 33 18 92 FB 50 18  .~....D.P<3...P.
0x0030: 16 D0 00 00 00 00 41 30 30 30 20 43 41 50 41 42  ......A000 CAPAB
0x0040: 49 4C 49 54 59 0D 0A 41 30 30 31 20 4C 4F 47 49  ILITY..A001 LOGI
0x0050: 4E 20 22 6C 6D 61 63 30 30 34 22 20 22 36 31 30  N "lmac004" "610
0x0060: 38 31 31 39 22 0D 0A 41 30 30 32 20 4C 49 53 54  8119"..A002 LIST
0x0070: 20 22 22 20 22 22 0D 0A 41 30 30 33 20 43 41 50   "" ""..A003 CAP
0x0080: 41 42 49 4C 49 54 59 0D 0A 41 30 30 34 20 53 45  ABILITY..A004 SE
0x0090: 4C 45 43 54 20 22 49 4E 42 4F 58 22 0D 0A 41 30  LECT "INBOX"..A0
0x00A0: 30 35 20 55 49 44 20 46 45 54 43 48 20 31 3A 2A  05 UID FETCH 1:*
0x00B0: 20 28 55 49 44 20 46 4C 41 47 53 29 0D 0A 41 30   (UID FLAGS)..A0
0x00C0: 30 36 20 55 49 44 20 46 45 54 43 48 20 31 39 37  06 UID FETCH 197
0x00D0: 36 31 3A 2A 20 28 55 49 44 20 46 4C 41 47 53 20  61:* (UID FLAGS 
0x00E0: 49 4E 54 45 52 4E 41 4C 44 41 54 45 20 52 46 43  INTERNALDATE RFC
0x00F0: 38 32 32 2E 53 49 5A 45 20 52 46 43 38 32 32 2E  822.SIZE RFC822.
0x0100: 48 45 41 44 45 52 29 0D 0A                       HEADER)..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list