[Snort-devel] Adding more check on offset in byte_test keyword {snort280}

rmkml rmkml at ...879...
Thu Nov 15 14:01:57 EST 2007

on snort v2.8.0 (and previous), ByteTestParse() on 
detection-plugins/sp_byte_check.c not check offset size !
Joigned little patch for add this check.
recompiled and tested without rules/snort error.

example new error check :
  alert ip any any -> any any (msg:"test"; byte_test:1,>,0,1000; )
before new check, this second example not error:
  alert ip any any -> any any (msg:"test"; byte_test:1,>,0,10000000000000000000000000000000; )

Please Credits to Crusoe Researches
Best Regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort280_byte_test_morecheck_offset.diff.gz
Type: application/octet-stream
Size: 279 bytes
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20071115/cc2ee8f7/attachment.obj>

More information about the Snort-devel mailing list