|
|
|
|
Snort Forums Archive
Archive Home » Snort Development » Apparent bug with snort content filter?
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Apparent bug with snort content filter?
Posted by Smitty on April 18, 2005 10:11:30
Hello everybody,
I always hesitate to submit to developer forums because I don't consider myself to be an snort uber-hacker. That being said here is my problem :-) I have a custom rule such that:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Uh-oh"; flow:to_server,established; content:"140@xxxxxxxxxxxxx.com"; nocase; classtype:internal-snafu; sid:6666; rev:1;)
The rule parses and snort starts up just fine, however the alert trips almost immediatley. When I eyeball the data, the content of the packets that were alerted on have absolutlely nothing to with the content I want to alert on.
I have tested using a higher number at the begining of the string ala:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Uh-oh"; flow:to_server,established; content:"1498@xxxxxxxxxxxxx.com"; nocase; classtype:internal-snafu; sid:6666; rev:1;)
And everything works (correctly) like a charm... I have tried pcre and using a complete hex encoding of the data and the end result is still many alerts with meaningless, non-pertinant package data. The only thing that I can think of is that the hex address of the dump contain the number 140 in all the above cases and the destination is the domain I am filtering on. Could someone tell me if I am doing something abysmally silly here or is this a legitamately a bug?
Thanks in advance and apologies in advance for any lack homework on my part...
Pat |
|
|
|
|
|
