[Snort-devel] snort280, number args checked on ByteTestParse() too large ?

rmkml rmkml at ...879...
Wed Nov 14 01:06:35 EST 2007

on snort v2.8.0 (and previous), ByteTestParse() on detection-plugins/sp_byte_check.c check number arguments :
     toks = mSplit(data, ",", 12, &num_toks, 0);
but why 12 ?
because only 8 on snort manual :
  byte_test: <bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string];
recompiled and tested with 8 without rules/snort error.
number 12 is inherit ByteJumpParse().

Please Credits to my company : Crusoe Researches
Best Regards

More information about the Snort-devel mailing list