[Emerging-Sigs] distance >= within ?

ilya crawler.p at gmail.com
Fri Oct 8 04:24:38 EDT 2010

  Hi All,

I'm just learning how to deal with Snort (as i stated before), so 
probably it's an easy question -- about "distance" and "within" 
modifiers, but i'm unable to answer it by myself and hope you could help me.
 From what I read (including quite clear picture from 
<http://doc.emergingthreats.net/bin/view/Main/SnortSigs101> ) I decided 
that "within" has to always be greater than "distance" for the same 
"content", but while checking available rules I've found a few ones that 
are quite strange for me, namely:

alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET 
ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to 
Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; 
depth:13; content:"!This program cannot be run in DOS mode."; 
*distance:75; within:40; *classtype:successful-admin; 
sid:2009581; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF 
exploits"; flow:established,to_server; content:"POST "; depth:5; 
content:"|0d 0a 0d 0a|id="; content:"|25 32 36|jp"; *distance:5; 
within:5;* classtype:bad-unknown; 
sid:2011350; rev:2;)

(quick search through ET ruleset:
$ cat *rules | perl -n -e '{print if /distance: ?(\d+); ?within: 
?(\d+);/ && $1 >= $2}'
$ cat *rules | perl -n -e '{print if /within: ?(\d+); ?distance: 
?(\d+);/ && $2 >= $1}'
gives a few similar rules)

I've failed to prepare alerts for these rules and thus doubt if they're 
really going to fire... Please assure me :)
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101008/f04e2cd2/attachment-0001.html

More information about the Emerging-sigs mailing list