[Snort-sigs] False +ve from a couple of new rules.

Vinay A. Mahadik VAMahadik at ...703...
Sun Aug 11 16:10:03 EDT 2002


Hi,

About 'distance'...

Check out -
http://archives.neohapsis.com/archives/bugtraq/2000-04/0085.html

That'll imply (and the snort source too) that distance is the number of 
bytes between two contents specs. Check sp_pattern_match.c/h and grep for -
detect_offset_end and distance_adjustment..

Thanks,
Vinay.

Michael Scheidell wrote:

>>Anyway what I have done here is to list the rule and a packet capture or
>>two, that I believe to be a false positive:  
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
>>msg:"EXPERIMENTAL IMAP list overflow attempt";
>>flow:established,to_server; 
>>content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024; 
>>reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)
>>
> 
> In both packets, I see the LIST, the 0x22 0x22 and later on, the 0x0a,
> so, snort is doing what it should (I don't know what distance is either)
> 
> 






More information about the Snort-sigs mailing list