Parenthesis confusion.

Unanswered Question
May 28th, 2009

I am confused at what the parenthesis mean within a MARS rule.

Consider the following rule:

System Rule: Password Attack: Mail Server - Success Likely.

The logic/clauses look like this:

(( 1 followed-by 2 ) or 3 ) followed-by 4

I don't understand what this means at all. I think that MARS doesn't use the parenthesis in a standard logic operation.

I think it means:

( ( Probe1 followed-by Attack2 ) or ( Probe1 followed-by Attack3 ) ) followed-by offset4

Which could also be written: (( 1 followed-by ( 2 or 3 )) followed-by 4

But it very well may also mean:

(1 followed by 2) or (3 followed by 4)

Either way I have to assume the parenthesis are screwed up. Can someone clarify this for me?

Also when this rule is fired I only see in the incident that offset 4 was triggered. Why don't I see the information about what triggered offset 1, followed-by offset 2, and finally followed by offset 4?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion