[Snort-sigs] Question about sid: 1002
bmc at ...95...
Thu Apr 3 13:16:27 EST 2003
> > So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> > I'm sure there is a better way to reduce false positives though. Maybe
> > by looking for a '?' after the cmd.exe search, but no space/tab before
> > the '?', which would indicate the end of the URI.
> OK. So something like content: "cmd.exe"; nocase; depth: 0; content:
> !; depth: 0; content: !; depth: 0; content: "?"; might work
> better? (I'm still trying to understand the intricacies of rule
> writing, so I'm sure this isn't anywhere near perfect.)
"depth:x;" tells the pattern matcher to look for the pattern within X+Y
bytes from the beginning of the packet where Y is how many bytes to
skip before treating it like the beginning of the packet. This is
known as offset, which defaults to 0.
"distance:x"; tells the pattern matcher to start look for the pattern
X bytes from the end of the previous content match.
I've already spoken to Dan about your specific case. What Dan suggests
is not currently possible. In your specific case, I would suggest
something akin to this rule snippet:
flow:to_server,established; content:"cmd.exe"; content:"?"; distance:0;
More information about the Snort-sigs