[Snort-devel] Rule parser rejects content matches longer than depth but doesn't for within.
william.metcalf at ...2499...
Wed Mar 17 22:26:14 EDT 2010
It is good that the snort rule parser rejects cases where content >
depth. It would be cool if it did the same thing for cases where
content > within.
#test 11 content with invalid depth modifier this is handled properly
with error The depth(2) is less than the size of the content(3)!
alert tcp any any -> any any (msg:"content with depth where match is
longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown;
#this will never match but is accepted by the rule parser as content
is 3 > within 2
alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+
relative"; byte_jump:1,67,relative; content:"|00 00 38|"; within:2;
More information about the Snort-devel