[Snort-devel] Problem(?) with keyword "within"?

Jens Krabbenhoeft tschenz-snort-devel at ...1606...
Mon Nov 18 00:02:03 EST 2002


Hi all,

  I got some alert for "SMTP HELO overflow" today, and when looking at
them, I saw that there seems to be a problem(?) with the keyword
"within":

The packet's payload triggering the alert is as follows:

 length = 5
000 : 48 45 4C 4F 20                                    HELO 

There is another one, that looks like this:

 length = 13
000 : 48 45 4C 4F 20 67 6D 78 2E 63 6F 6D 0D            HELO gmx.com.

The rule:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt"; flow:to_server,established; content:"HELO "; offset:0;
depth:5; content:!"|0a|"; within:500
; reference:cve,CVE-2000-0042; reference:nessus,10324;
classtype:attempted-admin; sid:1549; rev:9;)

Although there is no '0A' within the next 500 bytes, I think the alert
should not fire on the given packets? Wouldn't it make sense, to let the
"within" keyword set a "dsize" implicitly?

Regards,

	Jens




More information about the Snort-devel mailing list