[Snort-sigs] Re: Depth and multi content rule help.

nick black dank at ...1581...
Thu Jun 19 09:18:18 EDT 2003


In article <9A01501BF79D864D95402AF6FBEE33D9029290EC at ...577...>, larosa, vjay wrote:
> alert any any -> any any (msg:"Test" content:"123"; content:"101112";
> depth:48; content:"|ff 53 4d 42 a2|";)
>  
> Will this work? Or will my depth keyword apply to the all three content
> matches?

the first evidence that the depth, etc modifiers applied only to certain
content options in the signature was SID 2003, the sql slammer worm:

content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"

if the depth:1 applied to both content rules, the second content could
never be matched; if it applied to neither, the first content is
entirely unnecessary (it's contained within the second).

confirmation lurks within PayloadSearchDepth, where the lines:

idx = (PatternMatchData *) otn->ds_list[lastType];

if(idx == NULL)
{
FatalError("ERROR %s Line %d => Please place \"content\" rules "
	"before depth, nocase or offset modifiers.\n",
	file_name, file_line);
}

while(idx->next != NULL)
idx = idx->next;

show that only the last content rule is modified.  someone should update
the documentation, as this bit me when i wrote my company's snort
compatability code :).

-- 
nick black <dank at ...1582...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo





More information about the Snort-sigs mailing list