[Snort-devel] [PATCH]: Support the hyphen character in a port range

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Fri Mar 4 21:29:36 EST 2011


Hi snort-devel,

The SourceFire documentation gives indications that the colon ':'
operator is on its way out the door as the delimiter for port ranges.
It is to be replaced by the hyphen '-' instead.  However, Snort itself
doesn't appear to support this character:

ERROR: local.rules(168) ***Rule--PortVar Parse error: (pos=5,error=not a
number)
>>1024-
>>    ^

Fatal Error, Quitting..

I poked around in the source and found what appears to be the file that
handles port parsing in src/sfutil/sfportobject.c, and making two small
changes makes the hyphen character supported (I'm a bit spooked by this
easy change, I'll add).

There appears to be a duplicate port parsing function in src/parser.c,
ParsePort.  However, I wedged a printf() call in there and ran the
compiled snort against some offline pcap data using rules with ranges
(and a variable with a range) and didn't see it trigger.  Is this old
parsing code by chance?  That is not modified unless I figure out the
call chain needed to test it (C isn't my best of languages, especially
when dealing with string parsing).

I have not modified the manual because I'm not certain what the logic
behind using the hyphen over the colon is.  Given the large number of
open-source rules out there, this would be a significant change and
supporting the colon would be needed for quite a long time.  I'm also
not certain that the hyphen enhances the readability of a rule in any
way.

I.e.,

1) alert tcp $HOME_NET 1024- -> $EXTERNAL_NET $HTTP_PORTS ( ... )
2) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS ( ... )

#2 just seems more....intuitive.  Maybe it's just because I've gotten
used to reading Snort rules that way.  Logically, the hyphen is widely
accepted as the range delimiter in a number of applications, so perhaps
this is the thinking.

Anyways, patch is attached.  If ParsePort needs modifying, then please
advise me on how that is used (i.e., what do I need to do to trigger
it).  Or if it's old/dead code, maybe discussion is needed on removing
it?

Cheers!,

--J
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-2.9.0.4-parse-portrange-hyphen.patch
Type: application/octet-stream
Size: 924 bytes
Desc: snort-2.9.0.4-parse-portrange-hyphen.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110304/0938e298/attachment.obj>


More information about the Snort-devel mailing list