[Snort-sigs] False +ve from a couple of new rules.
Vinay A. Mahadik
VAMahadik at ...703...
Sun Aug 11 16:10:03 EDT 2002
Check out -
That'll imply (and the snort source too) that distance is the number of
bytes between two contents specs. Check sp_pattern_match.c/h and grep for -
detect_offset_end and distance_adjustment..
Michael Scheidell wrote:
>>Anyway what I have done here is to list the rule and a packet capture or
>>two, that I believe to be a false positive:
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
>>msg:"EXPERIMENTAL IMAP list overflow attempt";
>>content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024;
>>reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)
> In both packets, I see the LIST, the 0x22 0x22 and later on, the 0x0a,
> so, snort is doing what it should (I don't know what distance is either)
More information about the Snort-sigs