[Snort-devel] Rule parser rejects content matches longer than depth but doesn't for within.

Will Metcalf william.metcalf at ...2499...
Wed Mar 17 23:36:28 EDT 2010


Yep agreed, not a huge deal just might save a rule writer some time
who may have added an extra byte to a content: match but forgot to
modify within. I have made this mistake before but then again I don't
claim to be a great rule writer.

I think the 10 minutes it would take to cut and paste the check from
depth: to within: is worth the  2 minutes it will save all future rule
writers searching for a typo in some multi-part flow-bit
setting/checking monster of a rule with fangs and eyeballs don't you?

Also would be nice to have consistency here esp since within: acts
like depth: when no previous content match in the rule can be found.

Regards,

Will

On Wed, Mar 17, 2010 at 10:04 PM, snort user <snort.user at ...2499...> wrote:
> Agreed that it would be good if snort engine rejected that case.
>
> At the same time, that is too straight-forward that any decent rule writer
> would not make such a blatant mistake. Don't you think so?
>
>
>
> On Wed, Mar 17, 2010 at 10:26 PM, Will Metcalf
> <william.metcalf at ...2499...> wrote:
>> It is good that the snort rule parser rejects cases where content >
>> depth.  It would be cool if it did the same thing for cases where
>> content > within.
>>
>> Regards,
>>
>> Will
>>
>> #test 11 content with invalid depth modifier this is handled properly
>> with error The depth(2) is less than the size of the content(3)!
>> #
>> #file allworkandnoplayplain.pcap
>> alert tcp any any -> any any (msg:"content with depth where match is
>> longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown;
>> sid:11; rev:1;)
>>
>> #this will never match but is accepted by the rule parser as content
>> is 3 > within 2
>> alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+
>> relative";  byte_jump:1,67,relative; content:"|00 00 38|"; within:2;
>> sid:137; rev:1;)
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>




More information about the Snort-devel mailing list