[Snort-devel] DCERCP2 support for byte_extract not implemented?

Joshua Kinard kumba at ...2185...
Wed Dec 21 17:43:39 EST 2011

I noticed in the manual that byte_extract supports a 'dce' parameter like
byte_test and byte_jump.  However, the code for this appears to be missing.
 In src/dynamic-preprocessors/dcerpc2/dce2_roptions.c, only one reference to
DCE2_ROPT__BYTE_EXTRACT exists, while there are quite a few references to
the other forms for test/jump.

Is byte_extract going to get DCE override functionality?  Does it need it,
or is this an artifact from basing the rule option off of byte_test or
byte_jump?  What other parameters, aside from <endian> and <string type> are
incompatible with byte_extract's DCE override?


Joshua Kinard
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111221/9686e2bd/attachment.sig>

More information about the Snort-devel mailing list