<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">Dear Snort-Team,</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">I had discovered something wrong in the rules, so I want to know if I am misunderstanding.</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2016-1287; reference:url,<a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike" class="">tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike</a>; classtype:attempted-admin; sid:36903; rev:2;)</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2016-1287; reference:url,<a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike" class="">tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike</a>; classtype:attempted-admin; sid:37674; rev:1;)</div><div style="margin: 0px; font-stretch: normal; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">In the above two rules, content option seems to check "Next payload", "MjVer", "MnVer" <span style="font-stretch: normal; line-height: normal; font-family: "Apple SD Gothic Neo";" class="">of IKE header</span>. According to section "3.1 The IKE Header" <span style="font-stretch: normal; line-height: normal; font-family: "Apple SD Gothic Neo";" class="">of</span> RFC4306, Next Playload field was located offset 8. I wonder why the offset of the content option is 16.</div><div style="margin: 0px; font-stretch: normal; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">RFC4306 : <a href="https://tools.ietf.org/html/rfc4306#page-41" class="">https://tools.ietf.org/html/rfc4306#page-41</a></div><div class=""><br class=""></div><div class=""><div class="">Best regards,</div><div class="">Eric Baek</div></div></div></div></body></html>