[Snort-sigs] SID 663, SMTP rcpt to sed command attempt
grundsch at ...592...
Mon Jul 14 09:18:46 EDT 2003
From what I've been able to understand from the doc:
it says there that "distance [...] makes sure that at least N bytes are
between pattern matches".
"At least" doesn't mean "exactly". From what I understood, you would
have to combine it with a "within" keyword.
(if this is true, the usage of "distance:0" is just stupid as you could
put all in one "content" section).
On the other hand, the definition of "within" in the handbook looks
like to be a wrong copy/paste from the "distance" one, which really
doesn't help to understand this correctly...
Anybody with clear insight into the semantic of these keywords wants to
rewrite the two paragraphs in the doc? :-)
On Dimanche, juil 13, 2003, at 23:00 Europe/Zurich, Nathan Bain wrote:
> The documentation for SID 663, SMTP rcpt to sed command attempt, says
> there are no known false positives. However, Snort has given me
> apparent false positives.
> Doesn't the "distance:0" option mean that the content blocks should be
> immediately next to each other? It seems that my version of snort
> (2.0.0) interprets this option to mean there should be any amount of
> distance between the content blocks, triggering obvious false alerts.
More information about the Snort-sigs