[Snort-devel] Does 'ttl' allow less-than-or-equal and greater-than-or-equal?

Russ Combs rcombs at ...402...
Thu Sep 2 10:00:44 EDT 2010


On Tue, Aug 31, 2010 at 1:53 PM, <Joshua.Kinard at ...3108...> wrote:

>
> Russ,
>
> Thanks for the info!  Should I contact someone at SF directly to
> highlight the error in their analyst guide, or do they monitor this list
> for stuff like this and will pick it up in the next documentation cycle?
> I assume the '=' is a holdover from a previous version of Snort, so that
> existing rules with that syntax won't break.
>

A bug is open on this and the fix (including support for <= and >=) should
be out soon.

>
> I also mentioned a week or two ago on this list about the hidden
> 'rawbytes' parameter to isdataat.  I didn't get a response on that, so
> just seeing if that will also get included in the next documentation
> update for both Snort and SourceFire.
>

The manual was already fixed following your earlier email.  Sorry you didn't
get a response then.

>
> And is there a public bug tracker for Snort?  I figure it's a good idea
> to see if an issue is reported already for little things like this.
>

There is no public bug tracker (other than this list).  But as these bugs
work their way through the system, additional steps are taken to ensure
related things are updated, including SF manuals.

Thanks for pointing out these issues.

Russ

>
> Thanks!,
>
> --J
>
>
> -----Original Message-----
> From: Russ Combs [mailto:rcombs at ...402...]
> Sent: Tuesday, August 31, 2010 9:47 AM
> To: Kinard, Joshua A
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] Does 'ttl' allow less-than-or-equal and
> greater-than-or-equal?
>
>
>
> On Mon, Aug 30, 2010 at 9:33 PM, <Joshua.Kinard at ...3108...> wrote:
>
>
>
>        Hi -devel,
>
>        Curious question, but does the 'ttl' rule option support the <=
> and >=
>        operators?  SourceFire's manual indicates that it does (Looking
> at
>        Sourcefire 3D System Analyst Guide, 4.9.1, Page 1204).  The
> Snort manual
>        is not at all clear, stating in just one line:
>        ttl:[[<number>-]><=]<number>;
>
>        The single '=' in there seems to suggest that <= and >= are
> possible,
>        but the parser in src/detection-plugins/sp_ttl_check.c:218
> (snort-2.8.6)
>        suggests only that less-than, greater-than, and equals are
> supported.
>        The switch statement does not set ds_ptr->oper to a constant
> that would
>        indicate lte/gte operations, nor does it bitwise AND
> TTL_CHECK_EQ to
>        either TTL_CHECK_GT or TTL_CHECK_LT to achieve a similar effect.
>
>        If 'ttl' does not support <= or >=, then what is the purpose of
> the '='
>        for?  Would that not make 'ttl:64;' equivalent to 'ttl:=64;'?
> Or is
>        this a holdover from an earlier version of Snort that required
> the '='
>        character to represent equality?
>
>
>
> Looks like the manual could be more clear.  ttl:64 is the same as
> ttl:=64.  Also, <= and >= are not valid.
>
> You can specify eg 1-64 which means <=64.
>
> There are also decoder alerts for zero TTL or TTL below the configured
> minimum.
>
> And the same applies to IP6 hop limit.
>
> We'll at least get the documentation updated.
>
> Russ
>
>
>
>        Thanks!,
>
>        --J
>
>
> ------------------------------------------------------------------------
> ------
>        This SF.net Dev2Dev email is sponsored by:
>
>        Show off your parallel programming skills.
>        Enter the Intel(R) Threading Challenge 2010.
>        http://p.sf.net/sfu/intel-thread-sfd
>        _______________________________________________
>        Snort-devel mailing list
>        Snort-devel at lists.sourceforge.net
>        https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100902/e78aac2d/attachment.html>


More information about the Snort-devel mailing list