[Snort-devel] Does 'ttl' allow less-than-or-equal and greater-than-or-equal?

Russ Combs rcombs at ...402...
Tue Aug 31 09:46:46 EDT 2010


On Mon, Aug 30, 2010 at 9:33 PM, <Joshua.Kinard at ...3108...> wrote:

>
> Hi -devel,
>
> Curious question, but does the 'ttl' rule option support the <= and >=
> operators?  SourceFire's manual indicates that it does (Looking at
> Sourcefire 3D System Analyst Guide, 4.9.1, Page 1204).  The Snort manual
> is not at all clear, stating in just one line:
> ttl:[[<number>-]><=]<number>;
>
> The single '=' in there seems to suggest that <= and >= are possible,
> but the parser in src/detection-plugins/sp_ttl_check.c:218 (snort-2.8.6)
> suggests only that less-than, greater-than, and equals are supported.
> The switch statement does not set ds_ptr->oper to a constant that would
> indicate lte/gte operations, nor does it bitwise AND TTL_CHECK_EQ to
> either TTL_CHECK_GT or TTL_CHECK_LT to achieve a similar effect.
>
> If 'ttl' does not support <= or >=, then what is the purpose of the '='
> for?  Would that not make 'ttl:64;' equivalent to 'ttl:=64;'?  Or is
> this a holdover from an earlier version of Snort that required the '='
> character to represent equality?
>

Looks like the manual could be more clear.  ttl:64 is the same as ttl:=64.
Also, <= and >= are not valid.

You can specify eg 1-64 which means <=64.

There are also decoder alerts for zero TTL or TTL below the configured
minimum.

And the same applies to IP6 hop limit.

We'll at least get the documentation updated.

Russ

>
> Thanks!,
>
> --J
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100831/c066f324/attachment.html>


More information about the Snort-devel mailing list