On 0, Eric Hines <eric.hines@appliedwatch.com> wrote:
Hi Blake,
Thanks for your insight. Actually. the packet was provided from Snort. I
cut the IP header for security reasons. What you are looking at is
starting from the first byte of the payload.
In speaking to a few others, we're noticing offset is being used after
depth instead of before, does the order matter? It looks as if the
contributor(s) for the rule are Brian, Nigel/Sourcefire Research Team.
Can anyone from Sourcefire VRT explain whats happening with this rule
and why its firing on these packets despite the depth/offset options?
Apologies for not replying sooner, I just got most of this thread in one
fell swoop (not sure I actually have the whole thing yet, I still don't
see the original message).
I suspect you are also looking at the UDP header in the packet, don't
forget that Snort knows about this and starts it's detection after the
UDP header. The packet display from Snort will show you the whole thing.
Anyway, not a lot more I can say without seeing the packets causing the
event to occur.
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
