[Snort-sigs] Corrupted definitions of 2403.4 and 2404.5?

nnposter at ...592... nnposter at ...592...
Fri Jun 4 13:40:08 EDT 2004


From: Brian <bmc at ...95...>
> On Fri, Jun 04, 2004 at 01:30:43PM -0600, nnposter at ...592... wrote:
> > Definitions of rules 2403.4 and 2404.5 start with two *relative* content
> > clauses:
> > 
> > flow:to_server,established; 
> > content:"|00 00|"; distance:0; 
> > content:"|00 00|"; distance:0; 
> > content:"|00|"; depth:1;
> 
> Thats fine actually, the first distance will act as "offset" since the
> doe_ptr is set to 0.

But aren't these two clauses useless?

A: flow:to_server,established;
B: content:"|00 00|"; distance:0; # there is 0x0000 somewhere in the packet
C: content:"|00 00|"; distance:0; # another 0x0000 somewhere later
D: content:"|00|"; depth:1; # packet starts with 0x00
E: byte_test:2,>,322,2;
F: content:"|FF|SMBs"; depth:5; offset:4; nocase;
G: byte_test:1,&,128,6,relative;
H: byte_test:2,>,255,54,relative,little;
I: content:"|00|"; distance:56; 
J: content:"|00 00|"; distance:255; # there is some 0x0000 deep in the packet
K: content:"|00 00|"; distance:0; # another 0x0000 somewhere later

In particular, aren't B and C already implied by J and K because D resets doe_ptr?

TIA




More information about the Snort-sigs mailing list