[Snort-devel] Rule parser rejects content matches longer than depth but doesn't for within.

snort user snort.user at ...2499...
Wed Mar 17 23:04:38 EDT 2010


Agreed that it would be good if snort engine rejected that case.

At the same time, that is too straight-forward that any decent rule writer
would not make such a blatant mistake. Don't you think so?



On Wed, Mar 17, 2010 at 10:26 PM, Will Metcalf
<william.metcalf at ...2499...> wrote:
> It is good that the snort rule parser rejects cases where content >
> depth.  It would be cool if it did the same thing for cases where
> content > within.
>
> Regards,
>
> Will
>
> #test 11 content with invalid depth modifier this is handled properly
> with error The depth(2) is less than the size of the content(3)!
> #
> #file allworkandnoplayplain.pcap
> alert tcp any any -> any any (msg:"content with depth where match is
> longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown;
> sid:11; rev:1;)
>
> #this will never match but is accepted by the rule parser as content
> is 3 > within 2
> alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+
> relative";  byte_jump:1,67,relative; content:"|00 00 38|"; within:2;
> sid:137; rev:1;)
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list