[Snort-devel] Problem(?) with keyword "within"?

Chris Green cmg at ...835...
Mon Nov 18 12:12:05 EST 2002

Jens Krabbenhoeft <tschenz-snort-devel at ...1606...> writes:

> Hi all,
>   I got some alert for "SMTP HELO overflow" today, and when looking at
> them, I saw that there seems to be a problem(?) with the keyword
> "within":
> The packet's payload triggering the alert is as follows:
>  length = 5
> 000 : 48 45 4C 4F 20                                    HELO 
> There is another one, that looks like this:
>  length = 13
> 000 : 48 45 4C 4F 20 67 6D 78 2E 63 6F 6D 0D            HELO gmx.com.
> The rule:
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
> attempt"; flow:to_server,established; content:"HELO "; offset:0;
> depth:5; content:!"|0a|"; within:500
> ; reference:cve,CVE-2000-0042; reference:nessus,10324;
> classtype:attempted-admin; sid:1549; rev:9;)
> Although there is no '0A' within the next 500 bytes, I think the alert
> should not fire on the given packets?

It should alert on that packet..  Trouble is that the 0d is being used
as a line terminator in the other one and I'm not sure how having 2
!content's trying to reference the same relative distances willl work
at hte moment.

> Wouldn't it make sense, to let the "within" keyword set a "dsize"
> implicitly?

Nope. That's a bad idea for the way we've been writing "within"

DSize shall forever remain a packet characteristic but most of the
stuff we're gearing towards now is more protocol knowledge.

It's good to see the false positives for these kind of rules so that
as we move forward, we see the weaknesses of that approach.
Chris Green <cmg at ...402...>
Warning: time of day goes back, taking countermeasures.

More information about the Snort-devel mailing list