[Snort-sigs] Snort 1.9 "within:" option broken? (fwd)

From: Carl Gibbons <cgibbons(at)du.edu>
Date: Fri Feb 14 2003 - 10:52:29 EST

(This may be a frequently asked question...)

Is the "within" option in Snort 1.9 sigatures working properly?

For example, in this rule in imap.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow at tempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:1024; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:4;)

I read the options
  content:!"|0a|"; within:1024;
as
  "match if 0x0a (newline) does not appear in the    first 1024 bytes of the payload."

Nevertheless, this rule just alerted on a packet with the following payload:

32 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 70 2 authenticate p

6C 61 69 6E 0D 0A                                lain..

Maybe I'm reading the option wrong, and it really gets parsed as "match if anything other than a newline appears in the first 1024 bytes of payload." If so, the signature, and all overflow signatures in imap.rules, yield too many false positives to be useful.

• Carl

  ---

This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Feb 14 11:29:18 2003