[Snort-sigs] Is modifier depth:32 required in the sid rule no. 1102

Matthew Watchinski mwatchinski at ...435...
Wed Jul 7 16:02:19 EDT 2004


Doesn't look necessary,  I'm setting up an old version of nessus to test 
this, since nessus 2.x doesn't use this uri anymore.

cheers,
-matt

Kumar,Rajesh wrote:

> Hi!
>
>         Is modifier depth:32 required in the sid rule no. 1102 where 
> there is no "content" keyword.
>         Details are presented below:
>
> *Rule:-*
>
> *SID*     1102   
> *Message*         WEB-MISC Nessus 404 probe      
> *Signature*       alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
> $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; 
> flow:to_server,established; uricontent:"/nessus_is_probing_you_"; 
> depth:32; reference:arachnids,301; classtype:web-application-attack; 
> sid:1102; rev:7;)    
>
> Manual:-
> *2.5.4 depth *
>
> The depth keyword allows the rule writer to specify how far into a 
> packet snort should search for the specified pattern. depth modifies 
> the previous 'content' keyword in the rule.
>
> A depth of 5 would tell snort to only look look for the specified 
> pattern within the first 5 bytes of the payload.
>
> As the depth keyword is a modifier to the previous 'content' keyword, 
> there must be a content in the rule before 'depth' is specified.
>
>
> Thanks,
>
> Rajesh Kumar
> iPolicy Networks Pvt. Ltd.
> NSEZ, Noida, U.P., India-201305
> Tel: 0120-2567002-5 extn:- 168 (O), 0120-2573097(R)
> Fax: 0120-2568681
>





More information about the Snort-sigs mailing list