[Snort-sigs] SID 13923 - Bad Rule

Patrick Mullen pmullen at ...435...
Tue Apr 6 15:45:35 EDT 2010

>> Hello, SID 13923 seems to generate quite a lot of false positives.

You are correct that the rule alerts on rfc-compliant traffic.  This
is immediately obvious by looking at the rule.  The rule was modified
from its previous form which had pcre:"/^HELO\x20(\x00|.\x00)/smi" to
its new form which currently has "content:"HELO "; content:!"|00|";
within:2; as part of a lot of performance changes.  Obviously, this
change does not fit the previous rule's intent due to the "!" modifier
on the content match.  A mistake was made and then lost in the mix.
Thank you for pointing it out; it will be fixed in the next release
and an additional speed increase that was realized during review will
be added to the rule.

Next time simply letting us know there is an obvious problem with the
rule without adding the "...to be a jerk..." part should be
sufficient.  ;)



More information about the Snort-sigs mailing list