[Snort-users] Possible Cerber False Negative

Kevin Ross kevross33 at ...14012...
Wed Dec 7 10:38:39 EST 2016


Hi,

Looking at rule 38885 I don't think it would hit messages like hi008c1030
which I see from Cerber analyis of sample md5
39594fb96583d261ef4fcc1d76efc84c.

The reason being primarily that dsize is set to 9 in the rule when this is
10 bytes long in these payloads. Pcre regex sets the hex to {6} but this
would be fine without dsize although in this case it will be 7 rather than
6 bytes.

Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161207/6849e80f/attachment.html>


More information about the Snort-users mailing list