Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule parser rejects content matches longer than depth but doesn't for within.

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 17 Mar 2010 21:26:14 -0500
It is good that the snort rule parser rejects cases where content >
depth.  It would be cool if it did the same thing for cases where
content > within.

Regards,

Will

#test 11 content with invalid depth modifier this is handled properly
with error The depth(2) is less than the size of the content(3)!
#
#file allworkandnoplayplain.pcap
alert tcp any any -> any any (msg:"content with depth where match is
longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown;
sid:11; rev:1;)

#this will never match but is accepted by the rule parser as content
is 3 > within 2
alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+
relative";  byte_jump:1,67,relative; content:"|00 00 38|"; within:2;
sid:137; rev:1;)

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: