[Snort-devel] [PATCH]: Support the hyphen character in a port range

Joel Esler jesler at ...402...
Sun Mar 6 16:48:29 EST 2011


Joshua,

I've submitted your patch as bug into our system.  As always, I'll provide
you feedback for your patch.

Thanks.

Joel

On Fri, Mar 4, 2011 at 9:29 PM, <Joshua.Kinard at ...3108...> wrote:

>
> Hi snort-devel,
>
> The SourceFire documentation gives indications that the colon ':'
> operator is on its way out the door as the delimiter for port ranges.
> It is to be replaced by the hyphen '-' instead.  However, Snort itself
> doesn't appear to support this character:
>
> ERROR: local.rules(168) ***Rule--PortVar Parse error: (pos=5,error=not a
> number)
> >>1024-
> >>    ^
>
> Fatal Error, Quitting..
>
> I poked around in the source and found what appears to be the file that
> handles port parsing in src/sfutil/sfportobject.c, and making two small
> changes makes the hyphen character supported (I'm a bit spooked by this
> easy change, I'll add).
>
> There appears to be a duplicate port parsing function in src/parser.c,
> ParsePort.  However, I wedged a printf() call in there and ran the
> compiled snort against some offline pcap data using rules with ranges
> (and a variable with a range) and didn't see it trigger.  Is this old
> parsing code by chance?  That is not modified unless I figure out the
> call chain needed to test it (C isn't my best of languages, especially
> when dealing with string parsing).
>
> I have not modified the manual because I'm not certain what the logic
> behind using the hyphen over the colon is.  Given the large number of
> open-source rules out there, this would be a significant change and
> supporting the colon would be needed for quite a long time.  I'm also
> not certain that the hyphen enhances the readability of a rule in any
> way.
>
> I.e.,
>
> 1) alert tcp $HOME_NET 1024- -> $EXTERNAL_NET $HTTP_PORTS ( ... )
> 2) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS ( ... )
>
> #2 just seems more....intuitive.  Maybe it's just because I've gotten
> used to reading Snort rules that way.  Logically, the hyphen is widely
> accepted as the range delimiter in a number of applications, so perhaps
> this is the thinking.
>
> Anyways, patch is attached.  If ParsePort needs modifying, then please
> advise me on how that is used (i.e., what do I need to do to trigger
> it).  Or if it's old/dead code, maybe discussion is needed on removing
> it?
>
> Cheers!,
>
> --J
>
>
> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>


-- 
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110306/f0e77d9d/attachment.html>


More information about the Snort-devel mailing list