[Snort-users] (no subject)

Sean Wheeler s.wheeler at ...2876...
Fri Oct 25 14:55:02 EDT 2002


Hi,

Could someone explain what these new options are :

distance
within

relating to a content option.

Are these enhancements to the offset & depth options ?

Below is an experimental rule example :

alert udp any $any -> $Trusted_Networks 1024: (msg: "EXPERIMENTAL RPC status
GHBN format string attack"; content: "|00 01 86 B8|"; content: "|00 00 00
02|"; distance: 4; within: 4; content: "%x %x"; distance: 16; within: 256;
sid: 1890; rev: 1; reference:bugtraq,1480; reference: cve,CVE-2000-0666;
classtype: misc-attack;)


regards

Sean





More information about the Snort-users mailing list