[Snort-devel] NOT content and uricontent="?..." problems in Snort 2.0

Brian bmc at ...835...
Sat Mar 1 13:28:27 EST 2003


On Thu, Feb 27, 2003 at 01:23:57PM -0800, Radek Mista wrote:
> I've been running comparison tests between Snort 1.9 and Snort 2.0 and I 
> noticed a couple of problems with Snort 2.0.
> 
>  1)  Snort 2.0 did not alert on any rules with NOT content
> (content:!"string"). For example, when run on the same data, Snort 1.9
> reported the following:
> 
> [**] [1:1734:6] FTP USER overflow attempt [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> 05/24-15:38:30.926650 X.X.X.X:61292 -> Y.Y.Y.Y:21
> TCP TTL:126 TOS:0x0 ID:6247 IpLen:20 DgmLen:51 DF
> ***AP*** Seq: 0x859EBD72  Ack: 0xE52E3E23  Win: 0x443F  TcpLen: 20

Can you include the payload for these?  Its kinda hard to debug content
rules without actual payload.

-brian




More information about the Snort-devel mailing list