[Snort-devel] Re: [Snort-users] depth?

Martin Roesch roesch at ...48...
Sat Jan 13 01:43:08 EST 2001


Actually, I think it needs to look like this:

 /* we want to match depth bytes anyway */
 sub_depth = p->dsize - idx->offset; 

 if((sub_depth > 0) && (sub_depth >= idx->pattern_size))
 {

If you ignore the starting offset you can get into trouble checking for
data beyond the end of the dsize.

     -Marty

Chris Green wrote:
> 
> sub_depth = p->dsize; // - (idx->offset + idx->depth); /* we want to match depth bytes anyway */
> 
> at about line 541 and 639 in sp_pattern_match.c
> 
> with depth 32 and a dsize of 30,  sub_depth was equal to -2 so it was
> searching -2 bytes into the packet.
> 
> now, it will only go to dsize bytes into the packet no matter what the
> offset says. Would some one verify that this is a correct solution?
> 
> Chris Green <cmg at ...81...> writes:
> 
> > Max Vision <vision at ...195...> writes:
> >
> > > For example the following rule does not work (depth of 1 or higher):
> > > alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version";
> > > content: "|07|version"; nocase; depth: 32;)
> > >
> > > but this does (depth is zero or omitted):
> > > alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version";
> > > content: "|07|version"; nocase; depth: 0;)
> > >
> > > Can anyone else confirm on this or other platforms?
> >
> > Seeing your message right after mine, depth of 29 works but does not
> > work when depth exceeds the payload length.  This is on a redhat 6.2
> > box.
> >
> > --
> > Chris Green <cmg at ...81...>
> > You now have 14 minutes to reach minimum safe distance.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> --
> Chris Green <cmg at ...81...>
> A good pun is its own reword.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list