[Snort-sigs] Bug in matching engine ?

Cedric Foll cedric.foll at ...1947...
Mon Nov 3 15:16:24 EST 2003

Hi there,

I'm working on worm mail detection with snort. I've wrote the folowing rule:

alert tcp any any -> any 25 (msg:"VIRUS .exe file attachment"; 
flow:to_server,established; content:"Content-Type|3a|"; content:"name="; 
distance:0; within:128; content:".exe"; distance:0; within:128; nocase; 
classtype:suspicious-filename-detect; sid:20000003; rev:1;)

Snort doesn't raise an alert on the folowing packet:

T -> [A]
image/gif..Content-Transfer-Encoding: base64..Content-ID: <visjkjo>
application/x-msdownload; name="update8912.exe"..
  Content-Transfer-Encoding: base64..Content-Disposition: 

Does the problem can be that the engine try to get the 2 lasts "content" 
just after having found the first "Content-Type|3a|" (and never reach 
the second Content-Type|3a|).
If I remove the "distance:0; within:128;" it works.


More information about the Snort-sigs mailing list