[Snort-sigs] Snort 1.9 "within:" option broken? (fwd)

Carl Gibbons cgibbons at ...1299...
Fri Feb 14 07:53:13 EST 2003


(This may be a frequently asked question...)

Is the "within" option in Snort 1.9 sigatures working properly?

For example, in this rule in imap.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow at tempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:1024; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:4;)

I read the options
  content:!"|0a|"; within:1024;
as
  "match if 0x0a (newline) does not appear in the
   first 1024 bytes of the payload."

Nevertheless, this rule just alerted on a packet with the following payload:

32 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 70  2 authenticate p
6C 61 69 6E 0D 0A                                lain..

Maybe I'm reading the option wrong, and it really gets parsed as
"match if anything other than a newline appears in the first 1024
bytes of payload."  If so, the signature, and all overflow
signatures in imap.rules, yield too many false positives to be
useful.

- Carl





More information about the Snort-sigs mailing list