<html><body bgcolor="#FFFFFF"><div><br><a href="http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html">http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html</a></div><div><br></div><div><br><div>--</div>Sent from my iPad</div><div><br>On Oct 8, 2010, at 4:24 AM, ilya &lt;<a href="mailto:crawler.p@gmail.com">crawler.p@gmail.com</a>&gt; wrote:<br><br></div><div></div><blockquote type="cite"><div>

    Hi All,<br>
    <br>
    I'm just learning how to deal with Snort (as i stated before), so
    probably it's an easy question -- about "distance" and "within"
    modifiers, but i'm unable to answer it by myself and hope you could
    help me.<br>
    From what I read (including quite clear picture from <a href="http://doc.emergingthreats.net/bin/view/Main/SnortSigs101#What_is_the_difference_between_o"><a href="http://doc.emergingthreats.net/bin/view/Main/SnortSigs101#What_is_the_difference_between_o">http://doc.emergingthreats.net/bin/view/Main/SnortSigs101#What_is_the_difference_between_o</a></a><a href="http://doc.emergingthreats.net/bin/view/Main/SnortSigs101"></a>
    ) I decided that "within" has to always be greater than "distance"
    for the same "content", but while checking available rules I've
    found a few ones that are quite strange for me, namely:<br>
    <br>
    alert tcp $EXTERNAL_NET 1024:65535 -&gt; $HOME_NET 1024:65535
    (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll
    to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ";
    depth:13; content:"!This program cannot be run in DOS mode."; <b>distance:75;
      within:40; </b>classtype:successful-admin;
    reference:url,<a href="http://doc.emergingthreats.net/2009581">doc.emergingthreats.net/2009581</a>;
    reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter"><a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter</a></a>;
    sid:2009581; rev:3;)<br>
    <br>
    alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET
    CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF
    exploits"; flow:established,to_server; content:"POST "; depth:5;
    content:"|0d 0a 0d 0a|id="; content:"|25 32 36|jp"; <b>distance:5;
      within:5;</b> classtype:bad-unknown;
    reference:url,<a href="http://doc.emergingthreats.net/2011350">doc.emergingthreats.net/2011350</a>;
    reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising"><a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising</a></a>;
    sid:2011350; rev:2;)<br>
    <br>
    (quick search through ET ruleset:<br>
    $ cat *rules | perl -n -e '{print if /distance: ?(\d+); ?within:
    ?(\d+);/ &amp;&amp; $1 &gt;= $2}'<br>
    and<br>
    $ cat *rules | perl -n -e '{print if /within: ?(\d+); ?distance:
    ?(\d+);/ &amp;&amp; $2 &gt;= $1}'<br>
    gives a few similar rules)<br>
    <br>
    I've failed to prepare alerts for these rules and thus doubt if
    they're really going to fire... Please assure me :)<br>
    Thanks in advance.<br>
    Regards,<br>
    crawler&nbsp; <br>
  

</div></blockquote><blockquote type="cite"><div><span></span><br><span>_______________________________________________</span><br><span>Emerging-sigs mailing list</span><br><span><a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a></span><br><span><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a></span><br><span></span><br><span>Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards</span><br><span><a href="http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html">http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html</a></span></div></blockquote></body></html>