<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    Hi All,<br>
    <br>
    I'm just learning how to deal with Snort (as i stated before), so
    probably it's an easy question -- about "distance" and "within"
    modifiers, but i'm unable to answer it by myself and hope you could
    help me.<br>
    From what I read (including quite clear picture from <a
href="http://doc.emergingthreats.net/bin/view/Main/SnortSigs101#What_is_the_difference_between_o">http://doc.emergingthreats.net/bin/view/Main/SnortSigs101#What_is_the_difference_between_o</a><a
      href="http://doc.emergingthreats.net/bin/view/Main/SnortSigs101"></a>
    ) I decided that "within" has to always be greater than "distance"
    for the same "content", but while checking available rules I've
    found a few ones that are quite strange for me, namely:<br>
    <br>
    alert tcp $EXTERNAL_NET 1024:65535 -&gt; $HOME_NET 1024:65535
    (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll
    to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ";
    depth:13; content:"!This program cannot be run in DOS mode."; <b>distance:75;
      within:40; </b>classtype:successful-admin;
    reference:url,doc.emergingthreats.net/2009581;
    reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter</a>;
    sid:2009581; rev:3;)<br>
    <br>
    alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET
    CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF
    exploits"; flow:established,to_server; content:"POST "; depth:5;
    content:"|0d 0a 0d 0a|id="; content:"|25 32 36|jp"; <b>distance:5;
      within:5;</b> classtype:bad-unknown;
    reference:url,doc.emergingthreats.net/2011350;
    reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising</a>;
    sid:2011350; rev:2;)<br>
    <br>
    (quick search through ET ruleset:<br>
    $ cat *rules | perl -n -e '{print if /distance: ?(\d+); ?within:
    ?(\d+);/ &amp;&amp; $1 &gt;= $2}'<br>
    and<br>
    $ cat *rules | perl -n -e '{print if /within: ?(\d+); ?distance:
    ?(\d+);/ &amp;&amp; $2 &gt;= $1}'<br>
    gives a few similar rules)<br>
    <br>
    I've failed to prepare alerts for these rules and thus doubt if
    they're really going to fire... Please assure me :)<br>
    Thanks in advance.<br>
    Regards,<br>
    crawler&nbsp; <br>
  </body>
</html>