Parenthesis confusion.

Unanswered Question
May 28th, 2009
User Badges:

I am confused at what the parenthesis mean within a MARS rule.


Consider the following rule:


System Rule: Password Attack: Mail Server - Success Likely.


The logic/clauses look like this:


(( 1 followed-by 2 ) or 3 ) followed-by 4


I don't understand what this means at all. I think that MARS doesn't use the parenthesis in a standard logic operation.


I think it means:

( ( Probe1 followed-by Attack2 ) or ( Probe1 followed-by Attack3 ) ) followed-by offset4


Which could also be written: (( 1 followed-by ( 2 or 3 )) followed-by 4


But it very well may also mean:

(1 followed by 2) or (3 followed by 4)


Either way I have to assume the parenthesis are screwed up. Can someone clarify this for me?



Also when this rule is fired I only see in the incident that offset 4 was triggered. Why don't I see the information about what triggered offset 1, followed-by offset 2, and finally followed by offset 4?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion