[PATCH]: Support the hyphen character in a port range

[<Joshua.Kinard () us-cert gov>]

Hi snort-devel,

The SourceFire documentation gives indications that the colon ':'
operator is on its way out the door as the delimiter for port ranges.
It is to be replaced by the hyphen '-' instead.  However, Snort itself
doesn't appear to support this character:

ERROR: local.rules(168) ***Rule--PortVar Parse error: (pos=5,error=not a
number)
> > 1024-
> >    ^

Fatal Error, Quitting..

I poked around in the source and found what appears to be the file that
handles port parsing in src/sfutil/sfportobject.c, and making two small
changes makes the hyphen character supported (I'm a bit spooked by this
easy change, I'll add).

There appears to be a duplicate port parsing function in src/parser.c,
ParsePort.  However, I wedged a printf() call in there and ran the
compiled snort against some offline pcap data using rules with ranges
(and a variable with a range) and didn't see it trigger.  Is this old
parsing code by chance?  That is not modified unless I figure out the
call chain needed to test it (C isn't my best of languages, especially
when dealing with string parsing).

I have not modified the manual because I'm not certain what the logic
behind using the hyphen over the colon is.  Given the large number of
open-source rules out there, this would be a significant change and
supporting the colon would be needed for quite a long time.  I'm also
not certain that the hyphen enhances the readability of a rule in any
way.

I.e.,

1) alert tcp $HOME_NET 1024- -> $EXTERNAL_NET $HTTP_PORTS ( ... )
2) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS ( ... )

#2 just seems more....intuitive.  Maybe it's just because I've gotten
used to reading Snort rules that way.  Logically, the hyphen is widely
accepted as the range delimiter in a number of applications, so perhaps
this is the thinking.

Anyways, patch is attached.  If ParsePort needs modifying, then please
advise me on how that is used (i.e., what do I need to do to trigger
it).  Or if it's old/dead code, maybe discussion is needed on removing
it?

Cheers!,

--J

Attachment: snort-2.9.0.4-parse-portrange-hyphen.patch
Description: snort-2.9.0.4-parse-portrange-hyphen.patch

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel