Snort mailing list archives
Re: SMTP content-type overflow rule question
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 3 Dec 2010 16:46:21 -0500
The current version basically says "Not a return or a new line for 300 characters". So it seems to me that the buffer overflow is a Content-Type string that is 300 bytes or larger long. J On Fri, Dec 3, 2010 at 1:27 PM, Bobby Venal <bobby.venal () gmail com> wrote:
Hi all,
An organization I work with had an older version of the 'SMTP
Content-Type overflow' rule in place; it was using this PCRE:
"/^Content-Type\x3A[^\x0d\x0a]{300,}$/im"
I noticed that the current version is this:
"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"
And I just wanted to make sure I understood one of the differences.
Am I correct in thinking that:
{300,}$ means "at least 300 occurrences of the preceding character
class, then end-of-line
and
{300} mean "exactly 300 occurrences of the preceding character class"
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: New IBM DB2 features make compatibility easy. Learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more - all designed to run applications on both DB2 and Oracle platforms. http://p.sf.net/sfu/oracle-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP content-type overflow rule question Bobby Venal (Dec 03)
- Re: SMTP content-type overflow rule question Joel Esler (Dec 03)
- Re: SMTP content-type overflow rule question Rich Graves (Dec 03)
- Re: SMTP content-type overflow rule question Joel Esler (Dec 03)