Isdataat's 'rawbytes' parameter

[Joshua.Kinard () us-cert gov]

Hi -devel,

Looking through Snort's sourcecode, I've noticed an undocumented
parameter to the 'isdataat' rule option, "rawbytes".

Per src/detection-plugins/sp_isdataat.c:

Line 27
 * Arguments:
 *    <int>         byte location to check if there is data
 *    ["relative"]  look for byte location relative to the end of the
last
 *                  pattern match
 *    ["rawbytes"]  force use of the non-normalized buffer.

Line 255
        else if(!strcasecmp(cptr, "rawbytes"))
        {
            /* the offset is to be applied to the non-normalized buffer
*/
            idx->flags |= ISDATAAT_RAWBYTES_FLAG;
        }

Line 302
     if (isdata->flags & ISDATAAT_RAWBYTES_FLAG)
    {
        /* Rawbytes specified, force use of that buffer */
        dsize = p->dsize;
        start_ptr = p->data;
        DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, 
                    "Using RAWBYTES buffer!\n"););
    }

This option is not mentioned in any Snort documentation or SourceFire
documentation (I checked 2.8.6 and 2.9.0-beta's manuals, plus the SF
System Analyst guide for 4.9.1).

Can we look at getting this mentioned so rule writers can make use of
it?  Does the use of the rawbytes parameter to isdataat introduce any
constraints with other rule options?  Is it compatible with the relative
parameter?

Also, can someone alert the SourceFire documentation people to its
existence as well?

Thanks!

--J

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel