[Snort-users] Problems with the ordering inside the rules

Brian bmc at ...950...
Thu Nov 6 12:09:26 EST 2003


On Tue, Oct 28, 2003 at 11:21:25AM +0100, Sergio Talens-Oliag wrote:
>     pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
>     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
> 
>   So, our question is:
>   
>     Is there a strict ordering needed in the content attributes or not?


YES.  The above rules will not do what you expect.

    content: !"|0a|"; within: 10; content: "TOP"; nocase; 

The first content looks for \n within 10 bytes relative to the end of the 
previous content.  In this case, the previous content doesn't exist.  These 
options need to be ordered as:
    
    content: "TOP"; nocase; content: !"|0a|"; within: 10; 

-brian




More information about the Snort-users mailing list