[Snort-sigs] sid:1841 / Question about within: x
nard at ...2038...
Wed Nov 26 04:26:12 EST 2003
I am seeing some FP's on sid 1841, so am attempting improve the rule to
is more for a learning exercise than anything else.
On further inspection of the vulnerability, successful exploitation
requires a line of code containing the following 3 things without any
whitespace between them.
o some domain name
Therefore a good rule would search for something like the following.
content:!" "; \
Obviously I have made up the "between" keyword / syntax to express my
point, how do I specify this in valid rule language?
I have worked around this at present by using within:15; (see below),
however I am not really happy about how this works as it will not
trigger with short domain names.
Also, I notice there are a few more keywords available in snort current
that what I have seen in the past. Can someone point me to a verbose
document that explains them?
More information about the Snort-sigs