[Snort-users] New Vision Rule Problems (not?)

Michael Davis mike at ...92...
Sun Aug 20 21:54:45 EDT 2000


Hello,

>  We don't treat colon (`:') as any special character in content argument
> parsing routine (have a look on parse-pattern). Basically only following
> rules apply to content argument:

It appears to to try to parse the colon as another delimiter, such as when
it splits 'content: "|0980|" '
into 'content' and ' "|0980|" '

If you compile mstring.c with DEBUG you can see what is happening:
mSplit got 2 tokens!
[*] Splitting string:  content: "Translate: F"
curr_str = 0
max_strs = 3  curr_str = 0
Allocating 9 bytes for token tok[0]:  content
curr_str = 1
max_strs = 3  curr_str = 1
Checking if curr_str (1) >= max_strs (3)
Allocating 12 bytes for token tok[1]:  "Translate
curr_str = 2
max_strs = 3  curr_str = 2
Checking if curr_str (2) >= max_strs (3)
Allocating 4 bytes for last token tok[2]:  F"
mSplit got 3 tokens!
ERROR Line 92 => Content data needs to be enclosed in quotation marks (")!

This is as far as I have gotten in debugging the problem.

As stated before it does not appear to be WIN32 specific. I have tested the
rule on a Debian Linux machine, FreeBSD 4.0 machine, and WIN32. All using
default builds (./configure ; make)

Michael Davis
Chief Technical Officer
Data Nerds, LLC.
http://www.datanerds.net

> all characters should be in range from 0x1f - 0x7e (strange, I would put
> 0x20 for startes, and 0x80 for endings ;-)), if character is `|' and it's
> not prepended by literal character ('\') parser enters hex mode, where
> only 0-9a-fA-F  (verified by isxdigit(3)) and spaces are allowed. |
> switches back to `normal' mode. That's it.
>
> By the way, would you mind to elaborate `have the problem'. Are you
> getting any error message or the rule just `doesn't seem to work'? (sorry
> if I missed any details in earlier posts under this thread).
>
>
>





More information about the Snort-users mailing list