[Snort-sigs] Understanding within

James Lay jlay at ...3266...
Wed Aug 15 13:13:13 EDT 2012


No..this isn't a Zen message ;)

Here's what I got...a boatload of eFax Blackhole exploit emails...so I 
thought I'd get some visibility into them with the following:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
possible Blackhole emailing"; flow:to_server, established; file_data; 
content:"<a href=|22|http:"; fast_pattern; pcre:"/\x2f[a-z]{8}\x2f/i"; 
classtype:trojan-activity; sid:10000018; rev:1;)

I'm trying to tighten it down with within:30;, but I can't seem to get 
it to fire when I add it.  My understanding using within is:

content:"bleh"; content:"bleh again"; within:30;

I know I'm missing something (no surprise there), but not sure 
what...any help would uh...help :)  Thanks!

James




More information about the Snort-sigs mailing list