[Snort-sigs] Question about rule 1549

Federico Petronio petrus at ...2312...
Wed Mar 17 12:18:09 EST 2004


Brian wrote:

> On Fri, Mar 12, 2004 at 12:14:33PM -0300, Federico Petronio wrote:
> 
>>content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi";
> 
> 
> <snip>
> 
>>48 45 4C 4F 20 57 4C 4C 2D 33 33 2D 70 70 70 6F  HELO WLL-33-pppo
>>65 30 31 32 2E 74 2D 6E 65 74 2E 6E 65 74 2E 76  e012.t-net.net.v
>>65                                               e
>>
>>but I am not sure why since the "{500}" restriction could not match ever
>>because the packet is shorter than that.
> 
> 
> Not only should the pcre caught it, but the isdataat should have
> caused it to not alert as well.  hrm.  Odd.

I found the problem... The rule in not updated to rev.13 in 
snortrules-snapshot-2_0.tar.gz and that is the rules package that I 
installed.

Thank you...
-- 
                                         Federico Petronio
                                         petrus at ...2312...




More information about the Snort-sigs mailing list