Snort mailing list archives
Re: Rule parser rejects content matches longer than depth but doesn't for within.
From: snort user <snort.user () gmail com>
Date: Wed, 17 Mar 2010 23:04:38 -0400
Agreed that it would be good if snort engine rejected that case. At the same time, that is too straight-forward that any decent rule writer would not make such a blatant mistake. Don't you think so? On Wed, Mar 17, 2010 at 10:26 PM, Will Metcalf <william.metcalf () gmail com> wrote:
It is good that the snort rule parser rejects cases where content > depth. It would be cool if it did the same thing for cases where content > within. Regards, Will #test 11 content with invalid depth modifier this is handled properly with error The depth(2) is less than the size of the content(3)! # #file allworkandnoplayplain.pcap alert tcp any any -> any any (msg:"content with depth where match is longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown; sid:11; rev:1;) #this will never match but is accepted by the rule parser as content is 3 > within 2 alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+ relative"; byte_jump:1,67,relative; content:"|00 00 38|"; within:2; sid:137; rev:1;) ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. snort user (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Matt Olney (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. snort user (Mar 17)