[Snort-sigs] Sid:2113 FP

sekure sekure at ...2420...
Thu Jul 1 06:23:15 EDT 2004

alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec
username overflow attempt"; flow:to_server,established;
content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|";
distance:0; classtype:attempted-admin; sid:2113; rev:3;)

Before I can tell whether or not I am seeing a false positive on this
rule, can someone please help me understand something?  According to
the rule above, snort is looking for 00 starting on the 9th byte. 
After it finds that 00, it wants to see 00 as the next byte and then
00 as the one after that.  So essentially, Snort is looking for
"|000000|"  Is that right?  Does "distance: 0" make sense?


More information about the Snort-sigs mailing list