[Snort-sigs] Is modifier depth:32 required in the sid rule no. 1102
rkumar at ...1649...
Thu Jun 24 05:09:00 EDT 2004
Is modifier depth:32 required in the sid rule no. 1102 where there is no "content" keyword.
Details are presented below:
Message WEB-MISC Nessus 404 probe
Signature alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:7;)
The depth keyword allows the rule writer to specify how far into a packet snort should search for the specified pattern. depth modifies the previous 'content' keyword in the rule.
A depth of 5 would tell snort to only look look for the specified pattern within the first 5 bytes of the payload.
As the depth keyword is a modifier to the previous 'content' keyword, there must be a content in the rule before 'depth' is specified.
iPolicy Networks Pvt. Ltd.
NSEZ, Noida, U.P., India-201305
Tel: 0120-2567002-5 extn:- 168 (O), 0120-2573097(R)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs