[Snort-sigs] Signaure Hiccup

stephane grundsch at ...592...
Fri Jun 27 13:12:03 EDT 2003


Yeah, actually it seems that the rules following this construction are 
just wrong.
(I've posted a question about this, you can search for the title 
"question about rule semantic")
The idea of the author was to catch potential buffer overflow when a 
command (in this case SMTP help) was particularly long, i.e. without a 
0x0a (cr) in the next X bytes.
Unfortunately, the engine interpret the rule as positive if there is 
something different than 0x0a within the next X bytes... The only case 
for this rule not to match (after seeing the "help" content option) is 
if there are 500 0x0a!
Brian gave an answer (about rule 1919):
"It would be faster to define it like this:

match if there is a "CWD", followed by at least 100 bytes of data,
without a 0x0a within 100 bytes of CWD.

While this can be done via an abuse of byte_test, a better approach is
in the works."

Ok, I have to say that I didn't manage to find a way how to use the 
byte test to implement the proposed rule... Anybody? This may be really 
something to look for, as there are 46 other rules with the same 
construct (and I'm really considering to disable all of them).

Finally, Brian's answer seems to indicate they are working on a 
better/new matching functionality. Let's see!

Steph

On Jeudi, juin 26, 2003, at 21:58 Europe/Zurich, Dale L. Handy wrote:

> I had a strange thing happen on sid 657.  I received this packet that 
> triggered a rule, but I don't think it should, or else I don't 
> understand the "within" option like I thought I did.  It is 
> essentially a packet from the middle of an SMTP session.  The "HELP " 
> content option picked it up, but then the !"|0a|" content option 
> didn't catch the |0a| at the 17th byte in the packet!
> Is this a misunderstanding (on my part) of how within works, or is it 
> a misfire in the detection engine?  Any ideas?
>
> (BTW, I changed the IP addresses in the packet...)
>
> Thanks...
>
> ====================================================== Rule
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon
> overflow"; flow:to_server,established,no_stream; content: "HELP "; 
> nocase; depth:5;
> content:!"|0a|"; within:500; reference:bugtraq,2387; 
> reference:arachnids,266;
> reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; 
> rev:7;)
>





More information about the Snort-sigs mailing list