[Snort-users] Snort 1.9 "within:" option broken?

Carl Gibbons cgibbons at ...6953...
Fri Jan 17 07:40:13 EST 2003


(If snort-users at lists.sourceforge.net isn't the correct forum for
this kind of query, please let me know.  - Carl)

Is the "within" option in Snort 1.9 sigatures working properly?

For example, in this rule in imap.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow at tempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:1024; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:4;)

I read the options
  content:!"|0a|"; within:1024;
as
  "match if 0x0a (newline) does not appear in the
   first 1024 bytes of the payload."

Nevertheless, this rule just alerted on a packet with the following payload:

32 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 70  2 authenticate p
6C 61 69 6E 0D 0A                                lain..

Maybe I'm reading the option wrong, and it really gets parsed as
"match if anything other than a newline appears in the first 1024
bytes of payload."  If so, the signature, and all overflow
signatures in imap.rules, yield too many false positives to be
useful.

- Carl





More information about the Snort-users mailing list