[Snort-sigs] To build a logical AND expression

Martin Olsson elof at ...1288...
Mon Dec 15 02:55:02 EST 2003


Many lame SMTP-clients use only a 0x0d to terminate their commands and
many SMTP-servers understand this behaviour. This trigger sid:1549 for
normal SMTP-traffic (no buffer overflow attempts).


Is it possible to build a logical AND NOT expression to prevent this?

Original rule:
msg:"SMTP HELO overflow attempt"; flow:to_server,established;
content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500;


I want to check that there is no 0x0a AND no 0x0d within those 500 bytes.
Is this possible?




I don't know how snort handle the doe_pointer when content searches
DON'T match. If it is unmodified, I guess you could just add another
inverted content search in order to create a logical AND...

msg:"SMTP HELO overflow attempt"; flow:to_server,established;
content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500;
content:!"|0d|"; within:500;


Am I wrong?


(BTW, another solution might be to use the dsize keyword to see if the
packet is more than 500 bytes in size)







More information about the Snort-sigs mailing list