[Emerging-Sigs] distance >= within ?

Joel Esler jesler at sourcefire.com
Fri Oct 8 07:45:30 EDT 2010


http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html


--
Sent from my iPad

On Oct 8, 2010, at 4:24 AM, ilya <crawler.p at gmail.com> wrote:

> Hi All,
> 
> I'm just learning how to deal with Snort (as i stated before), so probably it's an easy question -- about "distance" and "within" modifiers, but i'm unable to answer it by myself and hope you could help me.
> From what I read (including quite clear picture from http://doc.emergingthreats.net/bin/view/Main/SnortSigs101#What_is_the_difference_between_o ) I decided that "within" has to always be greater than "distance" for the same "content", but while checking available rules I've found a few ones that are quite strange for me, namely:
> 
> alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; classtype:successful-admin; reference:url,doc.emergingthreats.net/2009581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009581; rev:3;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|id="; content:"|25 32 36|jp"; distance:5; within:5; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011350; rev:2;)
> 
> (quick search through ET ruleset:
> $ cat *rules | perl -n -e '{print if /distance: ?(\d+); ?within: ?(\d+);/ && $1 >= $2}'
> and
> $ cat *rules | perl -n -e '{print if /within: ?(\d+); ?distance: ?(\d+);/ && $2 >= $1}'
> gives a few similar rules)
> 
> I've failed to prepare alerts for these rules and thus doubt if they're really going to fire... Please assure me :)
> Thanks in advance.
> Regards,
> crawler  
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101008/a4427405/attachment.html


More information about the Emerging-sigs mailing list