[Snort-devel] [PATCH]: Fix Snort references parsing

Matthew Watchinski mwatchinski at ...402...
Thu Feb 16 14:42:04 EST 2006


Just an FYI, the VRT rule merge and build system strips spaces after 
"x:" by default, as this problem has occured with other keywords.  You 
shouldn't ever see this issue in any of the VRT Certified rule packages.

Cheers,
-matt


Yoann Vandoorselaere wrote:
> Hi,
> 
> Attached is a patch against Snort CVS that fixes a reference lookup
> problem resulting in an invalid URL in case the reference begins with a
> space character (example: "reference: cve,y;" lookup fail).
> 
> Regards,
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Index: ChangeLog
> ===================================================================
> RCS file: /cvsroot/snort/ChangeLog,v
> retrieving revision 1.393
> diff -u -p -r1.393 ChangeLog
> --- ChangeLog	9 Jan 2006 20:33:37 -0000	1.393
> +++ ChangeLog	14 Feb 2006 12:04:21 -0000
> @@ -1,3 +1,11 @@
> +2006-02-12 Yoann Vandoorselaere <yoann.v at ...2801...>
> +
> +    * src/signature.c (ParseReference): 
> +      Strip whitespaces from reference system and id. This fixes a 
> +      reference lookup problem resulting in an invalid URL in case
> +      the reference begins with a space character (example:
> +      reference: x,y; would fail).
> +
>  2006-01-09 Steven Sturges <ssturges at ...402...>
>      * src/sfutil/mwm.c:
>        Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
> Index: src/signature.c
> ===================================================================
> RCS file: /cvsroot/snort/src/signature.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 signature.c
> --- src/signature.c	3 Jun 2004 20:11:05 -0000	1.5
> +++ src/signature.c	14 Feb 2006 12:04:21 -0000
> @@ -84,7 +84,7 @@ void FPrintReference(FILE *fp, Reference
>  
>  void ParseReference(char *args, OptTreeNode *otn)
>  {
> -    char **toks;
> +    char **toks, *system, *id;
>      int num_toks;
>  
>      /* 2 tokens: system, id */
> @@ -96,7 +96,15 @@ void ParseReference(char *args, OptTreeN
>      }
>      else
>      {
> -    otn->sigInfo.refs = AddReference(otn->sigInfo.refs, toks[0], toks[1]);
> +        system = toks[0];
> +        while ( isspace((int) *system) )
> +            system++;
> +
> +        id = toks[1];
> +        while ( isspace((int) *id) )
> +            id++;
> +            
> +        otn->sigInfo.refs = AddReference(otn->sigInfo.refs, system, id);
>      }
>  
>      mSplitFree(&toks, num_toks);





More information about the Snort-devel mailing list