[Snort-devel] Rule parser rejects content matches longer than depth but doesn't for within.

Matt Olney molney at ...402...
Wed Mar 17 23:45:54 EDT 2010


No,

It's silly and it will cost people time.  Plus it will confuse folks
and frustrate them.  And...

[molney at ...3077... 2.8.6.rc1]$ ./bin/snort -c ./etc/snort.conf -A cmg
-l/tmp -r ~/1.pcap -q
ERROR: /home/molney/snort/2.8.6/rules/local.rules(8) The depth (2) is
less than the size of the content(3)!
Fatal Error, Quitting..
[molney at ...3077... 2.8.6.rc1]$ ./bin/snort -c ./etc/snort.conf -A cmg
-l/tmp -r ~/1.pcap -q
ERROR: /home/molney/snort/2.8.6/rules/local.rules(9) within (5) is
smaller than size of pattern
Fatal Error, Quitting..

Fixed in 2.8.6.

Matt

On Wed, Mar 17, 2010 at 11:36 PM, Will Metcalf
<william.metcalf at ...2499...> wrote:
> Yep agreed, not a huge deal just might save a rule writer some time
> who may have added an extra byte to a content: match but forgot to
> modify within. I have made this mistake before but then again I don't
> claim to be a great rule writer.
>
> I think the 10 minutes it would take to cut and paste the check from
> depth: to within: is worth the  2 minutes it will save all future rule
> writers searching for a typo in some multi-part flow-bit
> setting/checking monster of a rule with fangs and eyeballs don't you?
>
> Also would be nice to have consistency here esp since within: acts
> like depth: when no previous content match in the rule can be found.
>
> Regards,
>
> Will
>
> On Wed, Mar 17, 2010 at 10:04 PM, snort user <snort.user at ...2499...> wrote:
>> Agreed that it would be good if snort engine rejected that case.
>>
>> At the same time, that is too straight-forward that any decent rule writer
>> would not make such a blatant mistake. Don't you think so?
>>
>>
>>
>> On Wed, Mar 17, 2010 at 10:26 PM, Will Metcalf
>> <william.metcalf at ...2499...> wrote:
>>> It is good that the snort rule parser rejects cases where content >
>>> depth.  It would be cool if it did the same thing for cases where
>>> content > within.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> #test 11 content with invalid depth modifier this is handled properly
>>> with error The depth(2) is less than the size of the content(3)!
>>> #
>>> #file allworkandnoplayplain.pcap
>>> alert tcp any any -> any any (msg:"content with depth where match is
>>> longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown;
>>> sid:11; rev:1;)
>>>
>>> #this will never match but is accepted by the rule parser as content
>>> is 3 > within 2
>>> alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+
>>> relative";  byte_jump:1,67,relative; content:"|00 00 38|"; within:2;
>>> sid:137; rev:1;)
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list