[Snort-sigs] SID 663, SMTP rcpt to sed command attempt

stephane grundsch at ...592...
Mon Jul 14 09:18:46 EDT 2003


 From what I've been able to understand from the doc:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.38

it says there that "distance [...] makes sure that at least N bytes are 
between pattern matches".
"At least" doesn't mean "exactly". From what I understood, you would 
have to combine it with a "within" keyword.
(if this is true, the usage of "distance:0" is just stupid as you could 
put all in one "content" section).

On the other hand, the definition of "within" in the handbook looks 
like to be a wrong copy/paste from the "distance" one, which really 
doesn't help to understand this correctly...

Anybody with clear insight into the semantic of these keywords wants to 
rewrite the two paragraphs in the doc? :-)

Steph

On Dimanche, juil 13, 2003, at 23:00 Europe/Zurich, Nathan Bain wrote:

> Hello,
>
> The documentation for SID 663, SMTP rcpt to sed command attempt, says
> there are no known false positives.  However, Snort has given me 
> several
> apparent false positives.
>

> Doesn't the "distance:0" option mean that the content blocks should be
> immediately next to each other?  It seems that my version of snort
> (2.0.0) interprets this option to mean there should be any amount of
> distance between the content blocks, triggering obvious false alerts.  
> Is





More information about the Snort-sigs mailing list