Snort mailing list archives
Re: Rule parser rejects content matches longer than depth but doesn't for within.
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 17 Mar 2010 22:48:20 -0500
Cool! Thanks Matt. Regards, Will On Wed, Mar 17, 2010 at 10:45 PM, Matt Olney <molney () sourcefire com> wrote:
No, It's silly and it will cost people time. Plus it will confuse folks and frustrate them. And... [molney@vrt-app-01 2.8.6.rc1]$ ./bin/snort -c ./etc/snort.conf -A cmg -l/tmp -r ~/1.pcap -q ERROR: /home/molney/snort/2.8.6/rules/local.rules(8) The depth (2) is less than the size of the content(3)! Fatal Error, Quitting.. [molney@vrt-app-01 2.8.6.rc1]$ ./bin/snort -c ./etc/snort.conf -A cmg -l/tmp -r ~/1.pcap -q ERROR: /home/molney/snort/2.8.6/rules/local.rules(9) within (5) is smaller than size of pattern Fatal Error, Quitting.. Fixed in 2.8.6. Matt On Wed, Mar 17, 2010 at 11:36 PM, Will Metcalf <william.metcalf () gmail com> wrote:Yep agreed, not a huge deal just might save a rule writer some time who may have added an extra byte to a content: match but forgot to modify within. I have made this mistake before but then again I don't claim to be a great rule writer. I think the 10 minutes it would take to cut and paste the check from depth: to within: is worth the 2 minutes it will save all future rule writers searching for a typo in some multi-part flow-bit setting/checking monster of a rule with fangs and eyeballs don't you? Also would be nice to have consistency here esp since within: acts like depth: when no previous content match in the rule can be found. Regards, Will On Wed, Mar 17, 2010 at 10:04 PM, snort user <snort.user () gmail com> wrote:Agreed that it would be good if snort engine rejected that case. At the same time, that is too straight-forward that any decent rule writer would not make such a blatant mistake. Don't you think so? On Wed, Mar 17, 2010 at 10:26 PM, Will Metcalf <william.metcalf () gmail com> wrote:It is good that the snort rule parser rejects cases where content > depth. It would be cool if it did the same thing for cases where content > within. Regards, Will #test 11 content with invalid depth modifier this is handled properly with error The depth(2) is less than the size of the content(3)! # #file allworkandnoplayplain.pcap alert tcp any any -> any any (msg:"content with depth where match is longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown; sid:11; rev:1;) #this will never match but is accepted by the rule parser as content is 3 > within 2 alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+ relative"; byte_jump:1,67,relative; content:"|00 00 38|"; within:2; sid:137; rev:1;) ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. snort user (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Matt Olney (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. Will Metcalf (Mar 17)
- Re: Rule parser rejects content matches longer than depth but doesn't for within. snort user (Mar 17)