[Snort-devel] Problems with distance attribute in 1.9

Martin Roesch roesch at ...402...
Mon Aug 19 13:34:06 EDT 2002


Ok, I had to make a fix here to snort (check CVS) but this rule isn't quite
right.  Maybe we could come up with better nomenclature for the options
here?  I'm open to suggestions.

This rule is trying to determine whether or not a carriage return is
occurring within 1024 bytes of the "LIST |22 22|" content.  If I'm reading
that right, it should be written like this:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143                         \
    (msg:"EXPERIMENTAL IMAP list overflow attempt";                  \
    flow:established,to_server;                                      \
    content:" LIST |22 22| "; nocase; content: !"|0a|"; within:1024; \
    reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)

This rule says "if I don't see a carriage return within 1024 bytes of the
LIST command, generate an alert.

The within option wasn't working correctly without a distance specified and
that's what I patched, but now things are working correctly and the rule
above should produce the expected behavior.

I think that the distance/within naming scheme might be confusing people,
any opinions?

     -Marty

On 8/12/02 10:42 PM, "Russell Fulton" <r.fulton at ...1343...> wrote:

> Below is a note I posted to the sigs list recently.  Now that I have
> found out what distance is supposed to do I now assert that it isn't
> working properly in build 184.
> 
> Please reply direct to me as I am not on the developers list.
> 
> Russell
> 
> Hi,
> I am running snort 1.9.0beta2 (Build 184) and I am getting lots of
> false positives on some new rules.  I an not sure if this is a problem
> with the rules or a problem with snort.  I notice this rule use
> 'distance' which I can't find in the documentation, persumably
> another new feature in 1.9.
> 
> Anyway what I have done here is to list the rule and a packet capture or
> two, that I believe to be a false positive:
> 
> Hmmmm.. is the position of distance in the rule important?  i.e. should
> the distance actually be between the two content: that it refers to?
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
> msg:"EXPERIMENTAL IMAP list overflow attempt";
> flow:established,to_server;
> content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024;
> reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)
> 
> [**] EXPERIMENTAL IMAP list overflow attempt [**]
> 08/12-22:33:16.631443 210.54.139.26:49157 -> 130.216.191.126:143
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:251
> ***AP*** Seq: 0x44BD503C  Ack: 0x331892FB  Win: 0x16D0  TcpLen: 20
> 0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
> 0x0010: 00 FB 00 00 00 00 F0 06 00 00 D2 36 8B 1A 82 D8  ...........6....
> 0x0020: BF 7E C0 05 00 8F 44 BD 50 3C 33 18 92 FB 50 18  .~....D.P<3...P.
> 0x0030: 16 D0 00 00 00 00 41 30 30 30 20 43 41 50 41 42  ......A000 CAPAB
> 0x0040: 49 4C 49 54 59 0D 0A 41 30 30 31 20 4C 4F 47 49  ILITY..A001 LOGI
> 0x0050: 4E 20 22 6C 6D 61 63 30 30 34 22 20 22 36 31 30  N "lmac004" "610
> 0x0060: 38 31 31 39 22 0D 0A 41 30 30 32 20 4C 49 53 54  8119"..A002 LIST
> 0x0070: 20 22 22 20 22 22 0D 0A 41 30 30 33 20 43 41 50   "" ""..A003 CAP
> 0x0080: 41 42 49 4C 49 54 59 0D 0A 41 30 30 34 20 53 45  ABILITY..A004 SE
> 0x0090: 4C 45 43 54 20 22 49 4E 42 4F 58 22 0D 0A 41 30  LECT "INBOX"..A0
> 0x00A0: 30 35 20 55 49 44 20 46 45 54 43 48 20 31 3A 2A  05 UID FETCH 1:*
> 0x00B0: 20 28 55 49 44 20 46 4C 41 47 53 29 0D 0A 41 30   (UID FLAGS)..A0
> 0x00C0: 30 36 20 55 49 44 20 46 45 54 43 48 20 31 39 37  06 UID FETCH 197
> 0x00D0: 36 31 3A 2A 20 28 55 49 44 20 46 4C 41 47 53 20  61:* (UID FLAGS
> 0x00E0: 49 4E 54 45 52 4E 41 4C 44 41 54 45 20 52 46 43  INTERNALDATE RFC
> 0x00F0: 38 32 32 2E 53 49 5A 45 20 52 46 43 38 32 32 2E  822.SIZE RFC822.
> 0x0100: 48 45 41 44 45 52 29 0D 0A                       HEADER)..
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list