[Snort-sigs] Bug in matching engine ?

Cedric Foll cedric.foll at ...1947...
Mon Nov 3 15:16:24 EST 2003


Hi there,

I'm working on worm mail detection with snort. I've wrote the folowing rule:

-------
alert tcp any any -> any 25 (msg:"VIRUS .exe file attachment"; 
flow:to_server,established; content:"Content-Type|3a|"; content:"name="; 
distance:0; within:128; content:".exe"; distance:0; within:128; nocase; 
classtype:suspicious-filename-detect; sid:20000003; rev:1;)
-------

Snort doesn't raise an alert on the folowing packet:

------------
T 216.127.196.18:3353 -> 194.167.110.33:25 [A]
(...)
  Y3E9ntVV3lDWSUBAQA7....--ucdlntjiqcrt..Content-Type: 
image/gif..Content-Transfer-Encoding: base64..Content-ID: <visjkjo>
 (...)
  gQSJCQcWCggIADs=....--ucdlntjiqcrt--....--nusngaoantcme..Content-Type: 
application/x-msdownload; name="update8912.exe"..
  Content-Transfer-Encoding: base64..Content-Disposition: 
attachment....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAA
 (...)
---------------------------------------------

Does the problem can be that the engine try to get the 2 lasts "content" 
just after having found the first "Content-Type|3a|" (and never reach 
the second Content-Type|3a|).
If I remove the "distance:0; within:128;" it works.

Regards.






More information about the Snort-sigs mailing list