[Snort-devel] depth, content-list bugs?

Andrew Chi achi at ...227...
Wed Jul 30 09:05:18 EDT 2003


Hello,

The way I understood the wording for the definition of depth in chap
2.3.11: "This sets the maximum search depth for the content pattern
match function to search from the beginning of its search region." was
to mean that the depth specifies the last offset where the beginning
of the content could match, but this is not quite the case:

scenario1
=========
if "asdf" were at the very beginning of the payload.

example1
========
content: "asdf";
offset: 0;
depth: 0;

scenario1 should only be matched by example1, however in practice,
example2 also matches scenario1:

example2
========
content: "asdf";
offset: 0;
depth: 4;

yet, example3 will not match scenario1

example3
========
content: "asdf";
offset: 0;
depth: 2;

so in practice depth really specifies "the maximum offset into the
payload
that the end of the content could match."

sticking to this definition there is a minor bug with example1 being
able to match everything (depth=0), when in fact it should match
nothing.

however, if implemented according to the original definition, example1
should only match items that are at the beginning of the payload.
however, i'm guessing if it were re-implemented that way, a lot of
rules would get broken.

could you add to the documentation for "depth" in chap. 2.3.11 a more
exact example and explanation, the vague example does not tell me
enough about the exact operation of "depth".  of course i could pour
over the source and find out, but isn't documentation there so that
i don't have to waste so much time doing that?  one might also say
that i could just test it out, which i did, and was misled because of
the success of example1, which led me to believe the original
definition was correct.

on a side note, 

"offset", "depth", "nocase" attributes aren't applied to
"content-list" parameters, is this the planned behavior?

thanx,
drew






More information about the Snort-devel mailing list