[Snort-users] rules keyword

James Hoagland hoagland at ...47...
Wed Jan 8 10:15:04 EST 2003

At 6:48 PM +0100 1/8/03, Patrice Boulanger wrote:
>Someone can tell me what the "within" keyword in the following rule means :
>alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
>attempt"; flow:to_server,established; content:"PASS "; nocase;
>content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
>reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)
>I have read the doc but there is nothing about this. I use a snort v1.9 and
>my rules set comes directly from snort.org. These rules are attempted to be
>use with this version (as indicated on the web site).

It is limiting the search scope for "|0a|" (a line feed) to the first 
50 bytes of the application layer.  The absence of this in the 
context of a PASS might indicate an attempt to overflow a buffer with 
a long password.

Kind regards,

|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-users mailing list