<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2627" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005>Hello,</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=943423208-27052005>I'm trying to 
interpret the following signature but keep failing :-( Does anyone know how the 
snort kernel process the following signature?</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=943423208-27052005>When the engine find 
the content "|07|", why it needs a "within" and "depth" for the following 
byte_jump? How could this byte_jump happens in a range, not an exact 
location?</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=943423208-27052005>Thanks a 
lot.</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN class=943423208-27052005>alert udp 
$EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload 
certificate request length overflow attempt"; byte_test:4,>,2043,24; 
byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; 
byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; 
reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; 
sid:237);</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005></SPAN></FONT> </DIV>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005>BRs,</SPAN></FONT></DIV>
<DIV><FONT face=新細明體 size=2><SPAN 
class=943423208-27052005>Terry.</SPAN></FONT></DIV></BODY></HTML>