[Snort-sigs] Question about rule 1549

Brian bmc at ...95...
Mon Mar 15 06:05:11 EST 2004


On Fri, Mar 12, 2004 at 12:14:33PM -0300, Federico Petronio wrote:
> content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi";

<snip>

> 48 45 4C 4F 20 57 4C 4C 2D 33 33 2D 70 70 70 6F  HELO WLL-33-pppo
> 65 30 31 32 2E 74 2D 6E 65 74 2E 6E 65 74 2E 76  e012.t-net.net.v
> 65                                               e
> 
> but I am not sure why since the "{500}" restriction could not match ever
> because the packet is shorter than that.

Not only should the pcre caught it, but the isdataat should have
caused it to not alert as well.  hrm.  Odd.

Brian




More information about the Snort-sigs mailing list