[Snort-sigs] Sid:2113 FP

Matthew Watchinski mwatchinski at ...435...
Wed Jul 7 15:13:15 EDT 2004

Not exactly.

1. offset starts from 0  IE

\x62\x63\x00 = content:"|00|"; offset:2; depth:1

If you want to find that \x00

2. Without the depth keyword offset just says skip this many bytes and 
start detection here.

3. Distance is like offset as it says start detection this many bytes 
from the last content match.

So this rule essentially says this.

Start looking for \x00 after the first ten bytes of the packet.  If you 
find that, look for \x00 starting 0 bytes past where you found \x00.  If 
you find that start looking for another \x00 starting 0 bytes past were 
you found the previous \x00

IE this rule would alert on the following





sekure wrote:

>alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec
>username overflow attempt"; flow:to_server,established;
>content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|";
>distance:0; classtype:attempted-admin; sid:2113; rev:3;)
>Before I can tell whether or not I am seeing a false positive on this
>rule, can someone please help me understand something?  According to
>the rule above, snort is looking for 00 starting on the 9th byte. 
>After it finds that 00, it wants to see 00 as the next byte and then
>00 as the one after that.  So essentially, Snort is looking for
>"|000000|"  Is that right?  Does "distance: 0" make sense?
>This SF.Net email sponsored by Black Hat Briefings & Training.
>Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
>digital self defense, top technical experts, no vendor pitches, 
>unmatched networking opportunities. Visit www.blackhat.com
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list