[Snort-devel] Problems with distance attribute in 1.9

Burak DAYIOGLU dayioglu at ...287...
Tue Aug 20 05:54:03 EDT 2002


On Mon, 2002-08-19 at 23:08, Martin Roesch wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143                         \
>     (msg:"EXPERIMENTAL IMAP list overflow attempt";                  \
>     flow:established,to_server;                                      \
>     content:" LIST |22 22| "; nocase; content: !"|0a|"; within:1024; \
>     reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)

Instead of using two different content's one after the other, how about
something like contentpattern with -extra simplified- regexp capability.

It seems like what is done with the above rule is nothing more than a
simple regexp match (the content, nocase and within stuff). 

Regarding the 'distance' keyword. It sounds more like TTL stuff (sensor
to target host distance in terms of hops) to me...

regards.
-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975





More information about the Snort-devel mailing list