[Snort-users] rules keyword

Patrice Boulanger pboulanger at ...7942...
Wed Jan 8 10:23:06 EST 2003


OK thanks,

but ACID give me the following content for the packet:

000 : 50 41 53 53 20 aa bb cc dd ee ff gg hh ii 0D 0A 	PASS *********..

(I have obviously obfuscated the real password).

The length of this packet is 16 bytes so the signature should never
triggered because the 0A is in the 50 bytes following the PASS string ?? Am
I wrong ??

Thanks

-----Message d'origine-----
De : James Hoagland [mailto:hoagland at ...47...]
Envoye : mercredi 8 janvier 2003 19:14
A : Patrice Boulanger; snort-users at lists.sourceforge.net
Objet : Re: [Snort-users] rules keyword


At 6:48 PM +0100 1/8/03, Patrice Boulanger wrote:
>Hi,
>
>Someone can tell me what the "within" keyword in the following rule means :
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
>attempt"; flow:to_server,established; content:"PASS "; nocase;
>content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
>reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)
>
>I have read the doc but there is nothing about this. I use a snort v1.9 and
>my rules set comes directly from snort.org. These rules are attempted to be
>use with this version (as indicated on the web site).

It is limiting the search scope for "|0a|" (a line feed) to the first
50 bytes of the application layer.  The absence of this in the
context of a PASS might indicate an attempt to overflow a buffer with
a long password.

Kind regards,

   Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|





More information about the Snort-users mailing list