[Snort-sigs] Sid:2113 FP
mwatchinski at ...435...
Wed Jul 7 15:13:15 EDT 2004
1. offset starts from 0 IE
\x62\x63\x00 = content:"|00|"; offset:2; depth:1
If you want to find that \x00
2. Without the depth keyword offset just says skip this many bytes and
start detection here.
3. Distance is like offset as it says start detection this many bytes
from the last content match.
So this rule essentially says this.
Start looking for \x00 after the first ten bytes of the packet. If you
find that, look for \x00 starting 0 bytes past where you found \x00. If
you find that start looking for another \x00 starting 0 bytes past were
you found the previous \x00
IE this rule would alert on the following
>alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec
>username overflow attempt"; flow:to_server,established;
>content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|";
>distance:0; classtype:attempted-admin; sid:2113; rev:3;)
>Before I can tell whether or not I am seeing a false positive on this
>rule, can someone please help me understand something? According to
>the rule above, snort is looking for 00 starting on the 9th byte.
>After it finds that 00, it wants to see 00 as the next byte and then
>00 as the one after that. So essentially, Snort is looking for
>"|000000|" Is that right? Does "distance: 0" make sense?
>This SF.Net email sponsored by Black Hat Briefings & Training.
>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>digital self defense, top technical experts, no vendor pitches,
>unmatched networking opportunities. Visit www.blackhat.com
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs