[Snort-devel] the NOT operation on content

Daniel Roelker droelker at ...402...
Thu Oct 31 08:42:05 EST 2002


Have you tried this against snort-1.9?  There shouldn't be an issue with
snort 2.0, because the detection engine will flag the "LIST |22 22|" and
then send the packet to the snort detection plugins for verification, where
it should fail because of the !|0a|, and the detection engine keeps plugging
away on the packet looking for the next content match.

Dan

On 10/31/02 11:29 AM, "Phil Wood" <cpw at ...86...> wrote:

> Folks,
> 
> Maybe this is understood already.  I'm going in and out of consciousness from
> day to day and readily admit to skipping snort mail on occasion.
> 
> Anyhow ...
> 
> The rule:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPERIMENTAL IMAP list
> overflow attempt"; flow:established,to_server; content:" LIST |22 22| ";
> nocase; content:!"|0a|"; within:1024; reference:nessus,10374;
> reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:4;)
> 
> which I assume should only fire if there is not a '0A' character within the
> first 1024 bytes of data.
> 
> fires for this content:
> 
> 000 : 41 30 30 39 20 4C 49 53 54 20 22 22 20 22 49 4E   A009 LIST "" "IN
> 010 : 42 4F 58 2A 22 0D 0A                              BOX*"..
> 
> in snort:
> 
> Version 2.0.0beta (Build 13)
> 
> Has it been addressed?
> 
> Thanks,
> 
> Phil
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future
> of Java(TM) technology. Join the Java Community
> Process(SM) (JCP(SM)) program now.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-- 
Daniel Roelker
Software Engineer
droelker at ...402...

www.sourcefire.com
www.snort.org







More information about the Snort-devel mailing list