[Snort-sigs] Sid:1845 IMAP list overflow attempt

Brian bmc at ...95...
Thu Feb 27 05:06:10 EST 2003


On Wed, Feb 26, 2003 at 07:19:02PM -0600, Schmehl, Paul L wrote:
> Wait a minute.  Maybe I'm not understanding the meaning of within.  The
> rule reads:
> content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024;
> 
> Wouldn't this mean that if you find a new line within the first 1024
> bytes the rule triggers?

The rule triggers if you don't see a \n within 1024 characters from the
END of the previous content.

-brian




More information about the Snort-sigs mailing list