[Snort-devel] complicated snort rule interpretation.

Rong-Tai Liu tie at ...2176...
Fri May 27 01:37:18 EDT 2005


Hello,
 
I'm trying to interpret the following signature but keep failing :-( Does
anyone know how the snort kernel process the following signature?
When the engine find the content "|07|", why it needs a "within" and "depth"
for the following byte_jump? How could this byte_jump happens in a range,
not an exact location?
 
Thanks a lot.
 
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third
payload certificate request length overflow attempt"; byte_test:4,>,2043,24;
byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4;
byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative;
reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin;
sid:237);
 
BRs,
Terry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20050527/d13c6d2f/attachment.html>


More information about the Snort-devel mailing list