[Snort-sigs] Question about sid: 1002

Paul Schmehl pauls at ...1311...
Thu Apr 3 14:29:37 EST 2003


Thanks Brian.

On Thu, 2003-04-03 at 15:19, Brian wrote:
> > > So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> > > 
> > > I'm sure there is a better way to reduce false positives though.  Maybe
> > > by looking for a '?' after the cmd.exe search, but no space/tab before
> > > the '?', which would indicate the end of the URI.
> > > 
> > OK.  So something like content: "cmd.exe"; nocase; depth: 0; content:
> > ![20]; depth: 0; content: ![09]; depth: 0; content: "?"; might work
> > better?  (I'm still trying to understand the intricacies of rule
> > writing, so I'm sure this isn't anywhere near perfect.)
> 
> "depth:x;" tells the pattern matcher to look for the pattern within X+Y 
> bytes from the beginning of the packet where Y is how many bytes to
> skip before treating it like the beginning of the packet.  This is
> known as offset, which defaults to 0.
> 
> "distance:x"; tells the pattern matcher to start look for the pattern 
> X bytes from the end of the previous content match.
> 
> I've already spoken to Dan about your specific case.  What Dan suggests 
> is not currently possible.  In your specific case, I would suggest
> something akin to this rule snippet: 
> 
>    flow:to_server,established; content:"cmd.exe"; content:"?"; distance:0;
> 
> -Brian
-- 
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member





More information about the Snort-sigs mailing list