Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 060870.html (Request Expert snort.org Support)

[Snort-sigs] Signaure Hiccup

From: Dale L. Handy <dhandy(at)nitrodata.com>
Date: Thu Jun 26 2003 - 15:58:34 EDT


I had a strange thing happen on sid 657. I received this packet that triggered a rule, but I don't think it should, or else I don't understand the "within" option like I thought I did. It is essentially a packet from the middle of an SMTP session. The "HELP " content option picked it up, but then the !"|0a|" content option didn't catch the |0a| at the 17th byte in the packet!

Is this a misunderstanding (on my part) of how within works, or is it a misfire in the detection engine? Any ideas?

(BTW, I changed the IP addresses in the packet...)

Thanks...

  • Rule alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established,no_stream; content: "HELP "; nocase; depth:5; content:!"|0a|"; within:500; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:7;)
    • IP Header Version = 4 Header Length = 5 Type of Service = NORMAL SERVICE Total Length = 628 Identification = 63847 Flags = 2 Fragment Offset = 0 Time to Live = 51 Protocol = 6 Header Checksum = 39518 IP Source = 172.16.175.35 IP Destination = 192.168.241.20
    • TCP Header Source Port = 61064 Destination Port = 25 Sequence # = 3547977641 Acknowledgment # = 2245236913 Header Length = 5 Flags = ACK PSH Window Size = 24820 TCP Checksum = 20437 Urgent Pointer = 0
    • Payload 000 68 65 6C 70 20 77 69 74 68 20 66 65 72 72 79 0D help with ferry. 010 0A 3E 20 73 63 68 65 64 75 6C 69 6E 67 20 74 69 .> scheduling ti 020 6D 65 73 20 61 6E 64 20 70 72 69 63 65 73 20 65 mes and prices e 030 74 63 20 61 6E 64 20 77 69 6C 6C 20 67 65 74 20 tc and will get 040 74 68 65 6D 20 6F 66 66 20 74 6F 20 79 6F 75 20 them off to you 050 61 73 61 70 2E 20 20 44 69 64 0D 0A 79 6F 75 0D asap. Did..you. 060 0A 3E 20 70 6C 61 6E 20 6F 6E 20 73 74 61 79 69 .> plan on stayi 070 6E 67 20 6F 76 65 72 6E 69 67 68 74 20 69 6E 20 ng overnight in 080 56 69 63 74 6F 72 69 61 20 6F 72 20 68 65 61 64 Victoria or head 090 69 6E 67 20 62 61 63 6B 20 74 6F 20 43 61 6C 69 ing back to Cali 0A0 66 6F 72 6E 69 61 20 74 68 61 74 0D 0A 3E 20 6E fornia that..> n 0B0 69 67 68 74 3F 20 20 49 20 63 61 6E 20 62 6F 6F ight? I can boo 0C0 6B 20 61 20 63 6F 6E 66 65 72 65 6E 63 65 20 72 k a conference r 0D0 6F 6F 6D 20 69 6E 20 74 68 65 20 68 6F 74 65 6C oom in the hotel 0E0 20 77 68 65 72 65 20 49 20 6E 6F 72 6D 61 6C 6C where I normall 0F0 79 20 73 74 61 79 20 61 74 0D 0A 3E 20 77 68 65 y stay at..> whe 100 6E 20 49 20 76 69 73 69 74 20 74 68 61 74 20 69 n I visit that i 110 73 20 6E 69 63 65 20 61 6E 64 20 65 63 6F 6E 6F s nice and econo 120 6D 69 63 61 6C 20 61 6E 64 20 63 61 6E 20 62 6F mical and can bo 130 6F 6B 20 79 6F 75 72 20 72 6F 6F 6D 20 74 6F 6F ok your room too 140 20 69 66 20 79 6F 75 0D 0A 3E 20 6E 65 65 64 20 if you..> need 150 6F 6E 65 2E 20 20 4A 75 73 74 20 73 6F 20 79 6F one. Just so yo 160 75 20 6B 6E 6F 77 20 74 68 65 72 65 20 69 73 20 u know there is 170 61 20 61 69 72 70 6F 72 74 20 69 6E 20 56 69 63 a airport in Vic 180 74 6F 72 69 61 20 74 68 61 74 20 79 6F 75 20 63 toria that you c 190 6F 75 6C 64 0D 0A 3E 20 66 6C 79 20 6F 75 74 20 ould..> fly out 1A0 6F 66 20 69 6E 73 74 65 61 64 20 6F 66 20 67 6F of instead of go 1B0 69 6E 67 20 62 61 63 6B 20 74 6F 20 56 61 6E 63 ing back to Vanc 1C0 6F 75 76 65 72 2E 0D 0A 3E 0D 0A 3E 20 53 75 72 ouver...>..> Sur 1D0 65 20 68 6F 70 65 20 74 68 69 73 20 68 65 6C 70 e hope this help 1E0 73 20 61 6E 64 20 49 27 6C 6C 20 62 65 20 69 6E s and I'll be in 1F0 20 74 6F 75 63 68 20 72 65 61 6C 20 73 6F 6F 6E touch real soon 200 21 0D 0A 3E 0D 0A 3E 20 48 61 70 70 79 20 64 61 !..>..> Happy da 210 79 21 0D 0A 3E 0D 0A 3E 20 74 61 6D 69 20 78 6F y!..>..> tami xo 220 0D 0A 3E 20 2D 2D 2D 2D 2D 20 4F 72 69 67 69 6E ..> ----- Origin 230 61 6C 20 4D 65 73 73 61 67 65 20 2D 2D 2D 2D 2D al Message ----- 240 0D 0A 3E 20 46 72 6F 6D 3A 20 22 4B ..> From: "K 
-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dhandy@nitrodata.com
   
http://www.nitrodata.com




-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting 
http://www.inetu.net/partner/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Received on Thu Jun 26 17:03:33 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:31 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library