[Snort-sigs] Sid:1845 IMAP list overflow attempt
bmc at ...95...
Thu Feb 27 05:06:10 EST 2003
On Wed, Feb 26, 2003 at 07:19:02PM -0600, Schmehl, Paul L wrote:
> Wait a minute. Maybe I'm not understanding the meaning of within. The
> rule reads:
> content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024;
> Wouldn't this mean that if you find a new line within the first 1024
> bytes the rule triggers?
The rule triggers if you don't see a \n within 1024 characters from the
END of the previous content.
More information about the Snort-sigs