[Snort-devel] Does 'ttl' allow less-than-or-equal and greater-than-or-equal?

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Mon Aug 30 21:33:33 EDT 2010

Hi -devel,

Curious question, but does the 'ttl' rule option support the <= and >=
operators?  SourceFire's manual indicates that it does (Looking at
Sourcefire 3D System Analyst Guide, 4.9.1, Page 1204).  The Snort manual
is not at all clear, stating in just one line:

The single '=' in there seems to suggest that <= and >= are possible,
but the parser in src/detection-plugins/sp_ttl_check.c:218 (snort-2.8.6)
suggests only that less-than, greater-than, and equals are supported.
The switch statement does not set ds_ptr->oper to a constant that would
indicate lte/gte operations, nor does it bitwise AND TTL_CHECK_EQ to
either TTL_CHECK_GT or TTL_CHECK_LT to achieve a similar effect.

If 'ttl' does not support <= or >=, then what is the purpose of the '='
for?  Would that not make 'ttl:64;' equivalent to 'ttl:=64;'?  Or is
this a holdover from an earlier version of Snort that required the '='
character to represent equality?



More information about the Snort-devel mailing list