Issues with search engines - ac_full in Snort 3

[Oskar Olsson <oskarol () student chalmers se>]

Hello there Snort-devel!

We are two students working with Snort 3 for our master thesis which relates to the pattern matching in Snort.
We noticed that when we try to print our state machine that we build as AC_FULL in acsmx2, we get very strange 
transitions.

The problem is that, even with a single rule with content:GET, the state machine contains multiple transition states 
that points to very high numbered states, even though the machine only contains 4 states.

Another strange thing is that the format of each state can vary and be values that should not be possible, for example 
it would be 256 for what we think is the state that contains the match of the rule. We have tested code from Snort 2 
and also using the standard AC machine (acmx.cc) and these seem to be producing a valid state machine.


To clarify: Using a simple content rule : alert tcp any any -> any any (msg: "Content Rule"; content: "GET"; sid:1;)
we get states that contains multiple transitions to strange states. We wonder if someone has stumbled upon this problem 
previously or know what might cause this strange behavior.


We have attached an image to this email showing the output of our print, not sure you can view it as this is the first 
time we ask anything on this mail list.
(If you can view the image, each section is a state and its transitions, the two first numbers are format and output)
Best Regards,
Oskar and Linus

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!