[Snort-devel] Problems with distance attribute in 1.9
dayioglu at ...287...
Tue Aug 20 05:54:03 EDT 2002
On Mon, 2002-08-19 at 23:08, Martin Roesch wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 \
> (msg:"EXPERIMENTAL IMAP list overflow attempt"; \
> flow:established,to_server; \
> content:" LIST |22 22| "; nocase; content: !"|0a|"; within:1024; \
> reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)
Instead of using two different content's one after the other, how about
something like contentpattern with -extra simplified- regexp capability.
It seems like what is done with the above rule is nothing more than a
simple regexp match (the content, nocase and within stuff).
Regarding the 'distance' keyword. It sounds more like TTL stuff (sensor
to target host distance in terms of hops) to me...
Phone: +90 312 2103379 Fax: +90 312 2103333
http://www.dayioglu.net ICQ UIN: 72276975
More information about the Snort-devel