[Snort-sigs] Question about rule semantic

stephane grundsch at ...592...
Thu Jun 19 09:18:14 EDT 2003


Hello,

I've been investigating more carefully a rule (sid:1919). As a 
refresher, here's the definition:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow 
attempt"; flow:to_server,established; content:"CWD "; nocase; 
content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; 
reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; 
classtype:attempted-admin; sid:1919; rev:3;)

It's purpose is to catch potential buffer overflows. I think the author 
thought this rule will work as follow:
- match if there is "CWD " followed by 100 chars without a '0x0a' 
(linefeed).

I think this is wrong, and will actually work like that:
- match if there is "CWD " followed by anything different than '0x0a' 
within the next 100 bytes

The second interpretation will match all the time... even if there are 
less than 100 bytes (I've seen quite a lot of false alerts matching 
this).

I'm not sure how to change this. Would the "distance" keyword help? 
(I'm quite new here... and the doc for these two keyword is confusing) 
But then what would happen if there are many commands? Will the rule 
then match even if there have been already 0x0a before the 100th byte?
Expert help is needed here. (or is it a limitation of the rule 
language?)

Additionally, I made a quick grep, and found the 46 following sid 
matching this construct:

grep '!"|0a|"; within' *.rules | sed 's/.*sid/sid/' | sort

sid:337; rev:5;)
sid:654; rev:7;)
sid:657; rev:7;)
sid:1379; rev:5;)
sid:1382; rev:7;)
sid:1388; rev:4;)
sid:1529; rev:7;)
sid:1538; rev:5;)
sid:1549; rev:11;)
sid:1562; rev:6;)
sid:1621; rev:8;)
sid:1634; rev:6;)
sid:1635; rev:6;)
sid:1734; rev:7;)
sid:1792; rev:5;)
sid:1838; rev:4;)
sid:1842; rev:5;)
sid:1844; rev:5;)
sid:1866; rev:5;)
sid:1888; rev:3;)
sid:1903; rev:3;)
sid:1904; rev:2;)
sid:1919; rev:3;)
sid:1919; rev:3;)
sid:1919; rev:3;)
sid:1920; rev:1;)
sid:1921; rev:1;)
sid:1936; rev:2;)
sid:1937; rev:2;)
sid:1938; rev:2;)
sid:1942; rev:1;)
sid:1972; rev:1;)
sid:1973; rev:1;)
sid:1974; rev:1;)
sid:1975; rev:1;)
sid:1975; rev:1;)
sid:1975; rev:1;)
sid:1976; rev:1;)
sid:2106; rev:1;)
sid:2107; rev:1;)
sid:2108; rev:1;)
sid:2109; rev:1;)
sid:2110; rev:1;)
sid:2111; rev:1;)
sid:2112; rev:1;)
sid:2118; rev:1;)

Thanks for your help,
	Stéphane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2360 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030619/fa79d65f/attachment.bin>


More information about the Snort-sigs mailing list