[Snort-devel] the NOT operation on content

Phil Wood cpw at ...86...
Thu Oct 31 08:30:03 EST 2002


Folks,

Maybe this is understood already.  I'm going in and out of consciousness from
day to day and readily admit to skipping snort mail on occasion.

Anyhow ...

The rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPERIMENTAL IMAP list overflow attempt"; flow:established,to_server; content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:4;)

which I assume should only fire if there is not a '0A' character within the
first 1024 bytes of data.

fires for this content:

000 : 41 30 30 39 20 4C 49 53 54 20 22 22 20 22 49 4E   A009 LIST "" "IN
010 : 42 4F 58 2A 22 0D 0A                              BOX*"..

in snort:

Version 2.0.0beta (Build 13)

Has it been addressed?

Thanks,

Phil




More information about the Snort-devel mailing list