Snort mailing list archives
Re: More sid 1841
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Fri, 21 Feb 2003 11:35:11 -0600
I was having the same problem with lots of hits on this signature with what appeared to be perfectly normal traffic. It appeared obvious to me that this signature was way too general to be of any use.
Ken At 12:03 AM 2/21/03 -0600, Schmehl, Paul L wrote:
Correct me if I'm wrong, but since double quotes have to be escaped inside a content statement, perhaps this is the problem with rule 1841 - content:"javascript://\" is seen as an open-ended statement. (The closing double quote is "escaped" by the preceding backslash.) This rule appears to be triggering on "javascript://", not on "javascript://\". I'm very curious about the example (Fig. 2.11) in the rules section of the online documentation. (<http://www.snort.org/docs/writing_rules/chap2.html#content-list%20exam ple>) Just prior to that example, the doc clearly states that ", : and | must be escaped in content statements. If I understand this correctly, then Fig. 2.11 is misleading. It reads: alert tcp any any -> 192.168.1.0/24 143 (content: "|90C8 C0FF FFFF|/bin/sh"; Whereas it *should* be: alert tcp any any -> 192.168.1.0/24 143 (content: "\|90C8 C0FF FFFF\|/bin/sh"; Correct? If so, then sid 1841 is problematic, and perhaps it should be rewritten like this: content:"javascript://"; content:'/\'; Or perhaps this: content:'javascript://\'; The two examples I offer depend upon whether the Boyer-Moore pattern matching will match the entire pattern only if it is sequential and adjacent (precisely as written above) or will match it if the characters are found in sequence anywhere in the payload. Or am I just totally out to lunch? (Sorry. I'm not a computer scientist by profession.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
Brother Kenneth Arnold System Administrator Information Technology Services Christian Brothers University (901) 321-4333 ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)