[Snort-devel] add fatalerror if within size < content len on snort v2.7.0.1

Marc Norton mnorton at ...402...
Thu Sep 6 16:13:32 EDT 2007


Thanks,

We'll check it out.

rmkml wrote:
> Hi,
> Adding this patch for parsing snort rules if within size < content len
> (new results: FatalError), example :
>  alert tcp any any -> any any (msg:"test within size < content len";
> flow:to_server,established; content:"POST "; nocase; content:"|FF FF|";
> within:1; distance:0; classtype:attempted-admin; sid:99999998; rev:1;)
> this rules never work because within size < content len (but snort not
> warn before this patch),
> 
> any comments ?
> (this patch include little copy ParsePattern() since
> detection-plugins/sp_pattern_match.c)
> 
> Credits:
>    Crusoe Researches
>    http://www.Crusoe-Researches.com
> 
>    Azwalaro: new nidps open source project (Wireshark based)
>    http://www.Crusoe-Researches.com/azwalaro/
> Regards
> Rmkml
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


-- 
Marc Norton
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com




More information about the Snort-devel mailing list