[Snort-sigs] RE: [Snort-users] More sid 1841

Schmehl, Paul L pauls at ...1311...
Sat Feb 22 09:01:07 EST 2003


If I understand the rules docs correctly (and there's no guarantee that
I do), the depth parameter is measured from the beginning of the
payload, not from the beginning of a previous content search

So something like this wouldn't work, right?

content:"javascript\://"; nocase; content:"\\n"; depth:255;

Can you use regexp wild cards like this?

content:"javascript\://*\";

Or better yet, like this?

content:"javascript\://*{255}\n";

And should we take this discussion to the snort-sigs list?  (I'm ccing
it just in case we should.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-----Original Message-----
From: Michael Boman [mailto:michael.boman at ...267...] 
Sent: Saturday, February 22, 2003 8:59 AM
To: Matt Kettler
Cc: Schmehl, Paul L; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] More sid 1841

According to RFC 1034 and 1035 the hostname can be a maximum of 255
bytes, so just make sure the '\n' are within 255 bytes from the end of
'javascript://'.




More information about the Snort-sigs mailing list