[Snort-devel] [PATCH 1/5]: byte_test: support bitwise OR

Ryan Jordan ryan.jordan at ...402...
Tue May 3 15:22:34 EDT 2011


Hi Joshua,

I'm in the process of reviewing your patches now, but I figured I'd
respond to this one early. I should be responding to your other emails
by today or tomorrow.

The attached patch does work as advertised, but using a bitwise OR in
a byte_test option doesn't actually detect anything. The byte_test
option works by applying an operation, then checking for a non-zero
result. In the case of bitwise OR, any non-zero "value" parameter will
always cause the option to match regardless of packet data.

I nearly added this myself in Snort 2.8.5, until I sat and thought
about actual use cases. :)

Good call on the error in the manual. We'll make sure that gets fixed.

Thanks,
Ryan

On Fri, Apr 29, 2011 at 12:41 AM,  <Joshua.Kinard at ...3108...> wrote:
>
> Hi snort-devel,
>
> The attached patch adds bitwise OR support for byte_test.  Bitwise AND
> and bitwise XOR is already supported**, thus I figure bitwise OR can't
> hurt.  I cannot yet think of a use for it, but I'm sure someone out
> there has pondered it.
>
> Note: The manual calls bitwise XOR "OR".  This is fixed in a follow-on
> patch to the manual.
>
> Note: Please double check-this for accuracy.  There appears to be a fair
> bit of duplicated code in Snort, so I hope I hit all the right places.
> A patch specific to dcerpc2 will follow for this feature and a few
> others.
>
>
> Cheers!,
>
> --J
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list