Some things to remember when trying to figure out why a IDS signature triggered
flowbits:isset,file.pdf - Check if snort has received sufficient data to know that it is looking at a pdf file.
Offset - where to start
Depth - how deep
Distance -
Within -
GET /content/downloads/....
content:"GET"; depth:3; content:"downloads"; distance:10; within:9 (search for downlaods 10 bytes after GET but within 9 bytes)
http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
flowbits:isset,file.pdf - Check if snort has received sufficient data to know that it is looking at a pdf file.
Offset - where to start
Depth - how deep
Distance -
Within -
GET /content/downloads/....
content:"GET"; depth:3; content:"downloads"; distance:10; within:9 (search for downlaods 10 bytes after GET but within 9 bytes)
http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
No comments:
Post a Comment