[Snort-users] rules keyword
hoagland at ...47...
Wed Jan 8 10:15:04 EST 2003
At 6:48 PM +0100 1/8/03, Patrice Boulanger wrote:
>Someone can tell me what the "within" keyword in the following rule means :
>alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
>attempt"; flow:to_server,established; content:"PASS "; nocase;
>content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
>reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)
>I have read the doc but there is nothing about this. I use a snort v1.9 and
>my rules set comes directly from snort.org. These rules are attempted to be
>use with this version (as indicated on the web site).
It is limiting the search scope for "|0a|" (a line feed) to the first
50 bytes of the application layer. The absence of this in the
context of a PASS might indicate an attempt to overflow a buffer with
a long password.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users