[Snort-devel] [PATCH]: Support the hyphen character in a port range
jesler at ...402...
Sun Mar 6 16:48:29 EST 2011
I've submitted your patch as bug into our system. As always, I'll provide
you feedback for your patch.
On Fri, Mar 4, 2011 at 9:29 PM, <Joshua.Kinard at ...3108...> wrote:
> Hi snort-devel,
> The SourceFire documentation gives indications that the colon ':'
> operator is on its way out the door as the delimiter for port ranges.
> It is to be replaced by the hyphen '-' instead. However, Snort itself
> doesn't appear to support this character:
> ERROR: local.rules(168) ***Rule--PortVar Parse error: (pos=5,error=not a
> >> ^
> Fatal Error, Quitting..
> I poked around in the source and found what appears to be the file that
> handles port parsing in src/sfutil/sfportobject.c, and making two small
> changes makes the hyphen character supported (I'm a bit spooked by this
> easy change, I'll add).
> There appears to be a duplicate port parsing function in src/parser.c,
> ParsePort. However, I wedged a printf() call in there and ran the
> compiled snort against some offline pcap data using rules with ranges
> (and a variable with a range) and didn't see it trigger. Is this old
> parsing code by chance? That is not modified unless I figure out the
> call chain needed to test it (C isn't my best of languages, especially
> when dealing with string parsing).
> I have not modified the manual because I'm not certain what the logic
> behind using the hyphen over the colon is. Given the large number of
> open-source rules out there, this would be a significant change and
> supporting the colon would be needed for quite a long time. I'm also
> not certain that the hyphen enhances the readability of a rule in any
> 1) alert tcp $HOME_NET 1024- -> $EXTERNAL_NET $HTTP_PORTS ( ... )
> 2) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS ( ... )
> #2 just seems more....intuitive. Maybe it's just because I've gotten
> used to reading Snort rules that way. Logically, the hyphen is widely
> accepted as the range delimiter in a number of applications, so perhaps
> this is the thinking.
> Anyways, patch is attached. If ParsePort needs modifying, then please
> advise me on how that is used (i.e., what do I need to do to trigger
> it). Or if it's old/dead code, maybe discussion is needed on removing
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel