Does 'ttl' allow less-than-or-equal and greater-than-or-equal?

[Joshua.Kinard () us-cert gov]

Hi -devel,

Curious question, but does the 'ttl' rule option support the <= and >=
operators?  SourceFire's manual indicates that it does (Looking at
Sourcefire 3D System Analyst Guide, 4.9.1, Page 1204).  The Snort manual
is not at all clear, stating in just one line:
ttl:[[<number>-]><=]<number>;

The single '=' in there seems to suggest that <= and >= are possible,
but the parser in src/detection-plugins/sp_ttl_check.c:218 (snort-2.8.6)
suggests only that less-than, greater-than, and equals are supported.
The switch statement does not set ds_ptr->oper to a constant that would
indicate lte/gte operations, nor does it bitwise AND TTL_CHECK_EQ to
either TTL_CHECK_GT or TTL_CHECK_LT to achieve a similar effect.

If 'ttl' does not support <= or >=, then what is the purpose of the '='
for?  Would that not make 'ttl:64;' equivalent to 'ttl:=64;'?  Or is
this a holdover from an earlier version of Snort that required the '='
character to represent equality?

Thanks!,

--J

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel