[Snort-sigs] Is modifier depth:32 required in the sid rule no. 1102

Kumar,Rajesh rkumar at ...1649...
Thu Jun 24 05:09:00 EDT 2004


Hi!

        Is modifier depth:32 required in the sid rule no. 1102 where there is no "content" keyword. 
        Details are presented below:

Rule:-

SID 	1102 	
Message 	WEB-MISC Nessus 404 probe 	
Signature 	alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:7;)	

Manual:-
2.5.4 depth 

The depth keyword allows the rule writer to specify how far into a packet snort should search for the specified pattern. depth modifies the previous 'content' keyword in the rule. 

A depth of 5 would tell snort to only look look for the specified pattern within the first 5 bytes of the payload. 

As the depth keyword is a modifier to the previous 'content' keyword, there must be a content in the rule before 'depth' is specified. 


Thanks,

Rajesh Kumar
iPolicy Networks Pvt. Ltd.
NSEZ, Noida, U.P., India-201305
Tel: 0120-2567002-5 extn:- 168 (O), 0120-2573097(R)
Fax: 0120-2568681
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040624/a25dc366/attachment.html>


More information about the Snort-sigs mailing list