[Snort-devel] Problems with within

From: Duncan, Lisa M <lisa.duncan(at)qwest.com>
Date: Tue Jul 08 2003 - 17:15:20 EDT

Hello,

  I am new to the rule writing crowd and I am getting sporadic results when using the distance and within rule options. I have included my rule and the two packets in question. If I remove the 'within: 3' from the below rule both packets are captured, however, this is not sufficient for our application, as junk also falls thru. Any help would be appreciated.

Thanks,

Lisa

Here is my rule:

alert tcp any any -> any <removed proprietary> (msg:"PPP SC"; content: "|2A|"; content: "|0A 53 43|"; distance: 4; within: 3; sid:2000001; rev:1;)

This rule captures packets of this type:

0x0000   4500 0038 0061 4000 7f06 f2b5 419c b805        E..8.a@.....A...
0x0010   cdbc 414b 047d 4821 0807 0f9a 79ea 08ed        ..AK.}H!....y...
0x0020   5018 3e26 be92 0000 2a02 430f 000a 5343        P.>&....*.C...SC
0x0030   00e4 0001 0000 0200                            ........

But will not capture packets of this type:
0x0000   4500 0552 0028 4000 7f06 6dc3 419a 3412        E..R.(@...m.A.4.
0x0010   cdbc 4552 0403 4821 02b3 ba01 985a 8075        ..ER..H!.....Z.u
0x0020   5018 420f 4b9c 0000 2a02 17af 0011 6631        P.B.K...*.....f1
0x0030   005c 0001 0003 0104 002e a698 0002 002a        .\.............*
0x0040   0217 b000 1144 5700 5300 0100 0301 0400        .....DW.S.......
0x0050   0000 0100 0200 2a02 17b1 0015 6574 005d        ......*.....et.]
0x0060   0001 0000 0e08 0101 0000 0000 042c 0002        .............,..
0x0070   002a 0217 b200 0a53 4300 4200 0100 0002        .*.....SC.B.....


-------------------------------------------------------

This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Jul 8 17:38:32 2003