Rong-Tai Liu wrote:
Hello,
I'm trying to interpret the following signature but keep failing :-(
Does anyone know how the snort kernel process the following signature?
When the engine find the content "|07|", why it needs a "within" and
"depth" for the following byte_jump?
You can't and there isn't. Also, there's no depth keyword AT ALL in this rule, I
assume you mean distance, not depth.
The within:1 and distance:-4 are modifiers to the content:"|07|" search, not the
byte_jump.
Remember, within and distance always modify the search keyword before them, not
the search keyword after them.
Thanks a lot.
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third
payload certificate request length overflow attempt";
byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|";
within:1; distance:-4; byte_jump:2,1,relative;
byte_test:2,>,2043,-2,relative; reference:bugtraq,9582;
reference:cve,2004-0040; classtype:attempted-admin; sid:237);
Break that rule up this way and it's easier to understand:
byte_test:4,>,2043,24;
byte_jump:2,30,relative;
content:"|07|";within:1; distance:-4;
byte_jump:2,1,relative;
byte_test:2,>,2043,-2,relative;
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
