[Snort-devel] add fatalerror if within size < content len on snort v2.7.0.1

rmkml rmkml at ...879...
Wed Sep 5 06:40:47 EDT 2007


Hi,
Adding this patch for parsing snort rules if within size < content len (new results: FatalError), example :
  alert tcp any any -> any any (msg:"test within size < content len"; flow:to_server,established; content:"POST "; nocase; content:"|FF FF|"; within:1; distance:0; classtype:attempted-admin; sid:99999998; rev:1;)
this rules never work because within size < content len (but snort not warn before this patch),

any comments ?
(this patch include little copy ParsePattern() since detection-plugins/sp_pattern_match.c)

Credits:
    Crusoe Researches
    http://www.Crusoe-Researches.com

    Azwalaro: new nidps open source project (Wireshark based)
    http://www.Crusoe-Researches.com/azwalaro/
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort2701_withinsizecontentlencheck.diff.gz
Type: application/octet-stream
Size: 2468 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070905/369cff4b/attachment.obj>


More information about the Snort-devel mailing list