[Snort-sigs] Is modifier depth:32 required in the sid rule no. 1102
mwatchinski at ...435...
Wed Jul 7 16:02:19 EDT 2004
Doesn't look necessary, I'm setting up an old version of nessus to test
this, since nessus 2.x doesn't use this uri anymore.
> Is modifier depth:32 required in the sid rule no. 1102 where
> there is no "content" keyword.
> Details are presented below:
> *SID* 1102
> *Message* WEB-MISC Nessus 404 probe
> *Signature* alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe";
> flow:to_server,established; uricontent:"/nessus_is_probing_you_";
> depth:32; reference:arachnids,301; classtype:web-application-attack;
> sid:1102; rev:7;)
> *2.5.4 depth *
> The depth keyword allows the rule writer to specify how far into a
> packet snort should search for the specified pattern. depth modifies
> the previous 'content' keyword in the rule.
> A depth of 5 would tell snort to only look look for the specified
> pattern within the first 5 bytes of the payload.
> As the depth keyword is a modifier to the previous 'content' keyword,
> there must be a content in the rule before 'depth' is specified.
> Rajesh Kumar
> iPolicy Networks Pvt. Ltd.
> NSEZ, Noida, U.P., India-201305
> Tel: 0120-2567002-5 extn:- 168 (O), 0120-2573097(R)
> Fax: 0120-2568681
More information about the Snort-sigs