Re: [Snort-sigs] Question about sid: 1002

From: Brian <bmc(at)snort.org>
Date: Thu Apr 03 2003 - 16:19:49 EST

> > So we wouldn't match those attacks, if you were looking for "cmd.exe?".
> >
> > I'm sure there is a better way to reduce false positives though. Maybe
> > by looking for a '?' after the cmd.exe search, but no space/tab before
> > the '?', which would indicate the end of the URI.
> >
> OK. So something like content: "cmd.exe"; nocase; depth: 0; content:

"depth:x;" tells the pattern matcher to look for the pattern within X+Y bytes from the beginning of the packet where Y is how many bytes to skip before treating it like the beginning of the packet. This is known as offset, which defaults to 0.

"distance:x"; tells the pattern matcher to start look for the pattern X bytes from the end of the previous content match.

I've already spoken to Dan about your specific case. What Dan suggests is not currently possible. In your specific case, I would suggest something akin to this rule snippet:

   flow:to_server,established; content:"cmd.exe"; content:"?"; distance:0;

-Brian

---

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu Apr 3 16:49:42 2003