On 21/09/05, Alex Kirk <alex.kirk@sourcefire.com> wrote:
This message is to announce the availability of an update for the
Sourcefire community rule set, which can be downloaded free of cost or
registration from http://www.snort.org/pub-bin/downloads.cgi.
<snip>
100000153 || COMMUNITY IMAP MDaemon authentication multiple packet
overflow attempt
This ^^^ rule causes snort to spit out the following error message:
"SNORT DETECTION ENGINE: Pure Not Rule 'COMMUNITY IMAP MDaemon
authentication multiple packet overflow attempt' not added to
detection engine. These rules are not supported at this time." After
that snort continues to load and operates as normal.
The rule itself:
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP
MDaemon authentication multiple packet overflow attempt";
flow:to_server,established; isdataat:342; content:!"|0a|"; within:342;
flowbits:isset,imap.auth; reference:bugtraq,14317;
classtype:attempted-admin; sid:100000153; rev:1;)
At the first glance over the rule I cannot see what could be wrong.
By some very dumb and empirical method I found out, that snort does
not like the "content:!..." part. To be exact it dislikes the "!"
symbol. Anyone has a clue why? By reading snort manual I don't see
that content negation can cause errors or rule rejection. Aren't we
allowed to search the content within some bytes and check if it does
_not_ contain a pattern? At least in some of the VRT rules (e.g.
sid:2590) this is present and causes no errors...
I'm confused...
--
http://nk99.org/
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
