[Snort-devel] Rule parser rejects content matches longer than depth but doesn't for within.

Will Metcalf william.metcalf at ...2499...
Wed Mar 17 23:48:20 EDT 2010


Cool!  Thanks Matt.

Regards,

Will

On Wed, Mar 17, 2010 at 10:45 PM, Matt Olney <molney at ...402...> wrote:
> No,
>
> It's silly and it will cost people time.  Plus it will confuse folks
> and frustrate them.  And...
>
> [molney at ...3077... 2.8.6.rc1]$ ./bin/snort -c ./etc/snort.conf -A cmg
> -l/tmp -r ~/1.pcap -q
> ERROR: /home/molney/snort/2.8.6/rules/local.rules(8) The depth (2) is
> less than the size of the content(3)!
> Fatal Error, Quitting..
> [molney at ...3077... 2.8.6.rc1]$ ./bin/snort -c ./etc/snort.conf -A cmg
> -l/tmp -r ~/1.pcap -q
> ERROR: /home/molney/snort/2.8.6/rules/local.rules(9) within (5) is
> smaller than size of pattern
> Fatal Error, Quitting..
>
> Fixed in 2.8.6.
>
> Matt
>
> On Wed, Mar 17, 2010 at 11:36 PM, Will Metcalf
> <william.metcalf at ...2499...> wrote:
>> Yep agreed, not a huge deal just might save a rule writer some time
>> who may have added an extra byte to a content: match but forgot to
>> modify within. I have made this mistake before but then again I don't
>> claim to be a great rule writer.
>>
>> I think the 10 minutes it would take to cut and paste the check from
>> depth: to within: is worth the  2 minutes it will save all future rule
>> writers searching for a typo in some multi-part flow-bit
>> setting/checking monster of a rule with fangs and eyeballs don't you?
>>
>> Also would be nice to have consistency here esp since within: acts
>> like depth: when no previous content match in the rule can be found.
>>
>> Regards,
>>
>> Will
>>
>> On Wed, Mar 17, 2010 at 10:04 PM, snort user <snort.user at ...2499...> wrote:
>>> Agreed that it would be good if snort engine rejected that case.
>>>
>>> At the same time, that is too straight-forward that any decent rule writer
>>> would not make such a blatant mistake. Don't you think so?
>>>
>>>
>>>
>>> On Wed, Mar 17, 2010 at 10:26 PM, Will Metcalf
>>> <william.metcalf at ...2499...> wrote:
>>>> It is good that the snort rule parser rejects cases where content >
>>>> depth.  It would be cool if it did the same thing for cases where
>>>> content > within.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> #test 11 content with invalid depth modifier this is handled properly
>>>> with error The depth(2) is less than the size of the content(3)!
>>>> #
>>>> #file allworkandnoplayplain.pcap
>>>> alert tcp any any -> any any (msg:"content with depth where match is
>>>> longer than depth GET"; content:"GET"; depth:2; classtype:bad-unknown;
>>>> sid:11; rev:1;)
>>>>
>>>> #this will never match but is accepted by the rule parser as content
>>>> is 3 > within 2
>>>> alert tcp any any -> any 445 (msg:"dce_iface over smb with byte_jump+
>>>> relative";  byte_jump:1,67,relative; content:"|00 00 38|"; within:2;
>>>> sid:137; rev:1;)
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>




More information about the Snort-devel mailing list