[Snort-sigs] Question about sid: 1002

Brian bmc at ...95...
Thu Apr 3 13:16:27 EST 2003


> > So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> > 
> > I'm sure there is a better way to reduce false positives though.  Maybe
> > by looking for a '?' after the cmd.exe search, but no space/tab before
> > the '?', which would indicate the end of the URI.
> > 
> OK.  So something like content: "cmd.exe"; nocase; depth: 0; content:
> ![20]; depth: 0; content: ![09]; depth: 0; content: "?"; might work
> better?  (I'm still trying to understand the intricacies of rule
> writing, so I'm sure this isn't anywhere near perfect.)

"depth:x;" tells the pattern matcher to look for the pattern within X+Y 
bytes from the beginning of the packet where Y is how many bytes to
skip before treating it like the beginning of the packet.  This is
known as offset, which defaults to 0.

"distance:x"; tells the pattern matcher to start look for the pattern 
X bytes from the end of the previous content match.

I've already spoken to Dan about your specific case.  What Dan suggests 
is not currently possible.  In your specific case, I would suggest
something akin to this rule snippet: 

   flow:to_server,established; content:"cmd.exe"; content:"?"; distance:0;

-Brian




More information about the Snort-sigs mailing list