[Snort-devel] Does 'ttl' allow less-than-or-equal and greater-than-or-equal?

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Thu Sep 2 15:33:07 EDT 2010


Russ,

Awesome!  Glad to be of assistance.

Cheers!,

--J


-----Original Message-----
From: Russ Combs [mailto:rcombs at ...402...] 
Sent: Thursday, September 02, 2010 10:01 AM
To: Kinard, Joshua A
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Does 'ttl' allow less-than-or-equal and
greater-than-or-equal?



On Tue, Aug 31, 2010 at 1:53 PM, <Joshua.Kinard at ...3108...> wrote:



	Russ,
	
	Thanks for the info!  Should I contact someone at SF directly to
	highlight the error in their analyst guide, or do they monitor
this list
	for stuff like this and will pick it up in the next
documentation cycle?
	I assume the '=' is a holdover from a previous version of Snort,
so that
	existing rules with that syntax won't break.
	


A bug is open on this and the fix (including support for <= and >=)
should be out soon.



	I also mentioned a week or two ago on this list about the hidden
	'rawbytes' parameter to isdataat.  I didn't get a response on
that, so
	just seeing if that will also get included in the next
documentation
	update for both Snort and SourceFire.
	


The manual was already fixed following your earlier email.  Sorry you
didn't get a response then.



	And is there a public bug tracker for Snort?  I figure it's a
good idea
	to see if an issue is reported already for little things like
this.
	


There is no public bug tracker (other than this list).  But as these
bugs work their way through the system, additional steps are taken to
ensure related things are updated, including SF manuals.

Thanks for pointing out these issues.

Russ



	Thanks!,
	
	--J
	


	-----Original Message-----
	From: Russ Combs [mailto:rcombs at ...402...]
	Sent: Tuesday, August 31, 2010 9:47 AM
	To: Kinard, Joshua A
	Cc: snort-devel at lists.sourceforge.net
	Subject: Re: [Snort-devel] Does 'ttl' allow less-than-or-equal
and
	greater-than-or-equal?
	
	
	
	On Mon, Aug 30, 2010 at 9:33 PM, <Joshua.Kinard at ...3108...>
wrote:
	
	
	
	       Hi -devel,
	
	       Curious question, but does the 'ttl' rule option support
the <=
	and >=
	       operators?  SourceFire's manual indicates that it does
(Looking
	at
	       Sourcefire 3D System Analyst Guide, 4.9.1, Page 1204).
The
	Snort manual
	       is not at all clear, stating in just one line:
	       ttl:[[<number>-]><=]<number>;
	
	       The single '=' in there seems to suggest that <= and >=
are
	possible,
	       but the parser in
src/detection-plugins/sp_ttl_check.c:218
	(snort-2.8.6)
	       suggests only that less-than, greater-than, and equals
are
	supported.
	       The switch statement does not set ds_ptr->oper to a
constant
	that would
	       indicate lte/gte operations, nor does it bitwise AND
	TTL_CHECK_EQ to
	       either TTL_CHECK_GT or TTL_CHECK_LT to achieve a similar
effect.
	
	       If 'ttl' does not support <= or >=, then what is the
purpose of
	the '='
	       for?  Would that not make 'ttl:64;' equivalent to
'ttl:=64;'?
	Or is
	       this a holdover from an earlier version of Snort that
required
	the '='
	       character to represent equality?
	
	
	
	Looks like the manual could be more clear.  ttl:64 is the same
as
	ttl:=64.  Also, <= and >= are not valid.
	
	You can specify eg 1-64 which means <=64.
	
	There are also decoder alerts for zero TTL or TTL below the
configured
	minimum.
	
	And the same applies to IP6 hop limit.
	
	We'll at least get the documentation updated.
	
	Russ
	
	
	
	       Thanks!,
	
	       --J
	
	
	
------------------------------------------------------------------------
	------
	       This SF.net Dev2Dev email is sponsored by:
	
	       Show off your parallel programming skills.
	       Enter the Intel(R) Threading Challenge 2010.
	       http://p.sf.net/sfu/intel-thread-sfd
	       _______________________________________________
	       Snort-devel mailing list
	       Snort-devel at lists.sourceforge.net
	       https://lists.sourceforge.net/lists/listinfo/snort-devel
	
	
	
	






More information about the Snort-devel mailing list