[Snort-devel] dsize ranges

Andreas Östling andreaso at ...387...
Wed Jun 26 08:21:08 EDT 2002


Hello,

I would like to check if a payload size is within a certain range.
I first thought that something like this would do the trick:

alert tcp any any -> any any (msg: "foo"; dsize: >99; dsize: < 201;)

But it turns out the second dsize simply overwrites the first one's
value, causing unwanted behaviour. Is this considered a bug or is it just
plain wrong syntax?

I guess you can achieve what I want using a few pass rules, but is there
another prefered way of doing this?

Anyway, I thought that something like this syntax would be useful:
alert tcp any any -> any any (msg: "foo"; dsize: 100<>200;)

The quick hack below will allow this. Not well-tested at all, but it shows
an idea...
(Also took the liberty to change a couple of debug messages.)


For sp_dsize_check.h:

--- sp_dsize_check.h.old        Wed Jun 26 15:26:31 2002
+++ sp_dsize_check.h    Wed Jun 26 15:26:40 2002
@@ -31,6 +31,7 @@
 typedef struct _DsizeCheckData
 {
     int dsize;
+    int dsize2;

 } DsizeCheckData;

@@ -40,5 +41,6 @@
 int CheckDsizeEq(Packet *, struct _OptTreeNode *, OptFpList *);
 int CheckDsizeGT(Packet *, struct _OptTreeNode *, OptFpList *);
 int CheckDsizeLT(Packet *, struct _OptTreeNode *, OptFpList *);
+int CheckDsizeRange(Packet *, struct _OptTreeNode *, OptFpList *);

 #endif  /* __SP_DSIZE_CHECK_H__ */



For sp_dsize_check.c:

--- sp_dsize_check.c.old        Wed Jun 26 15:25:02 2002
+++ sp_dsize_check.c    Wed Jun 26 15:38:31 2002
@@ -100,7 +100,20 @@

     while(isspace((int)*data)) data++;

-    if(*data == '>')
+    /* If a range is specified, put min in ds_ptr->dsize and max in ds_ptr->dsize2 */
+    if(isdigit((int)*data) && strchr(data, '<') && strchr(data, '>'))
+    {
+        ds_ptr->dsize  = atoi(strtok(data, " <>"));
+        ds_ptr->dsize2 = atoi(strtok(NULL, " <>"));
+
+#ifdef DEBUG
+        printf("min dsize: %d\n", ds_ptr->dsize);
+        printf("max dsize: %d\n", ds_ptr->dsize2);
+#endif
+        AddOptFuncToList(CheckDsizeRange, otn);
+       return;
+    }
+    else if(*data == '>')
     {
         data++;
         AddOptFuncToList(CheckDsizeGT, otn);
@@ -148,8 +161,7 @@
 #ifdef DEBUG
     else
     {
-        /* you can put debug comments here or not */
-        printf("Not equal\n");
+        printf("CheckDsizeEq(): dsize not equal\n");
     }
 #endif

@@ -183,8 +195,7 @@
 #ifdef DEBUG
     else
     {
-        /* you can put debug comments here or not */
-        printf("Not equal\n");
+        printf("CheckDsizeGT(): dsize not greater\n");
     }
 #endif

@@ -219,8 +230,41 @@
 #ifdef DEBUG
     else
     {
-        /* you can put debug comments here or not */
-        printf("Not equal\n");
+        printf("CheckDsizeLT(): dsize not lower\n");
+    }
+#endif
+
+    /* if the test isn't successful, return 0 */
+    return 0;
+}
+
+
+/****************************************************************************
+ *
+ * Function: CheckDsizeRange(char *, OptTreeNode *)
+ *
+ * Purpose: Test the packet's payload size against the rule payload size
+ *          values.  This test determines if the packet payload size is
+ *          in the range of the rule dsize min and max.
+ *
+ * Arguments: data => argument data
+ *            otn => pointer to the current rule's OTN
+ *
+ * Returns:  0 on failure, return value of next list function on success
+ *
+ ****************************************************************************/
+int CheckDsizeRange(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+  if(((DsizeCheckData *)otn->ds_list[PLUGIN_DSIZE_CHECK])->dsize <= p->dsize &&
+    ((DsizeCheckData *)otn->ds_list[PLUGIN_DSIZE_CHECK])->dsize2 >= p->dsize)
+    {
+        /* call the next function in the function list recursively */
+        return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+    }
+#ifdef DEBUG
+    else
+    {
+        printf("CheckDsizeRange(): not in range\n");
     }
 #endif




Regards,
Andreas Östling





More information about the Snort-devel mailing list