Snort mailing list archives
Isdataat's 'rawbytes' parameter
From: Joshua.Kinard () us-cert gov
Date: Wed, 18 Aug 2010 21:08:17 -0400
Hi -devel, Looking through Snort's sourcecode, I've noticed an undocumented parameter to the 'isdataat' rule option, "rawbytes". Per src/detection-plugins/sp_isdataat.c: Line 27 * Arguments: * <int> byte location to check if there is data * ["relative"] look for byte location relative to the end of the last * pattern match * ["rawbytes"] force use of the non-normalized buffer. Line 255 else if(!strcasecmp(cptr, "rawbytes")) { /* the offset is to be applied to the non-normalized buffer */ idx->flags |= ISDATAAT_RAWBYTES_FLAG; } Line 302 if (isdata->flags & ISDATAAT_RAWBYTES_FLAG) { /* Rawbytes specified, force use of that buffer */ dsize = p->dsize; start_ptr = p->data; DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Using RAWBYTES buffer!\n");); } This option is not mentioned in any Snort documentation or SourceFire documentation (I checked 2.8.6 and 2.9.0-beta's manuals, plus the SF System Analyst guide for 4.9.1). Can we look at getting this mentioned so rule writers can make use of it? Does the use of the rawbytes parameter to isdataat introduce any constraints with other rule options? Is it compatible with the relative parameter? Also, can someone alert the SourceFire documentation people to its existence as well? Thanks! --J ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Isdataat's 'rawbytes' parameter Joshua . Kinard (Aug 18)