[Snort-sigs] Snort 1.9 "within:" option broken? (fwd)

Chris Green cmg at ...435...
Fri Feb 14 12:03:34 EST 2003


Carl Gibbons <cgibbons at ...1299...> writes:

> (This may be a frequently asked question...)
>
> Is the "within" option in Snort 1.9 sigatures working properly?
>
> For example, in this rule in imap.rules:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow at tempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:1024; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:4;)
>
> I read the options
>   content:!"|0a|"; within:1024;
> as
>   "match if 0x0a (newline) does not appear in the
>    first 1024 bytes of the payload."
>
> Nevertheless, this rule just alerted on a packet with the following payload:
>
> 32 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 70  2 authenticate p
> 6C 61 69 6E 0D 0A                                lain..

Was the packet sent through the stream reassembler?  I just commited
patches to 1.9 CVS that should clear up a lot of those errors people
are running into.

-- 
Chris Green <cmg at ...435...>
Let not the sands of time get in your lunch.




More information about the Snort-sigs mailing list