[Snort-users] New Vision Rule Problems (not?)

Christopher Cramer cec at ...68...
Mon Aug 21 11:51:41 EDT 2000


Michael,

I'm sure Marty et al would except code 
contributions to that effect :-)

-Chris

On Sun, 20 Aug 2000, Michael Davis wrote:

> > The fact that the text in question is enclosed in quotes makes no
> > difference to mSplit.  So, mSplit gives a token that isn't enclosed in
> 
> I think it should.  mSplit() should split on ':' then since the data after
> the colon is in quotes it should strip the quotes and use exactly what was
> inside of the quotes.  If you need quotes within the quotes then use the
> meta character (\").  mSplit() should know the difference between 'content:
> "Blah" ' and 'content: "Blah : Blah" '
> 
> That is just my two cents.
> 
> Michael Davis
> Chief Technical Officer
> Data Nerds, LLC.
> http://www.datanerds.net
> 
> > quotes, and the content plugin hangs up on it.
> >
> > -Chris
> >
> > ----------------------------------------------------------------------
> > Dr. Christopher E. Cramer
> > Associate in Research
> > Duke University, Department of Electrical and Computer Engineering
> > 114 Hudson Hall, Box 90291, Durham, NC  27708-0291
> > PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...
> >
> >
> > On Sun, 20 Aug 2000, Michael Davis wrote:
> >
> > > Hello,
> > >
> > > >  We don't treat colon (`:') as any special character in content
> argument
> > > > parsing routine (have a look on parse-pattern). Basically only
> following
> > > > rules apply to content argument:
> > >
> > > It appears to to try to parse the colon as another delimiter, such as
> when
> > > it splits 'content: "|0980|" '
> > > into 'content' and ' "|0980|" '
> > >
> > > If you compile mstring.c with DEBUG you can see what is happening:
> > > mSplit got 2 tokens!
> > > [*] Splitting string:  content: "Translate: F"
> > > curr_str = 0
> > > max_strs = 3  curr_str = 0
> > > Allocating 9 bytes for token tok[0]:  content
> > > curr_str = 1
> > > max_strs = 3  curr_str = 1
> > > Checking if curr_str (1) >= max_strs (3)
> > > Allocating 12 bytes for token tok[1]:  "Translate
> > > curr_str = 2
> > > max_strs = 3  curr_str = 2
> > > Checking if curr_str (2) >= max_strs (3)
> > > Allocating 4 bytes for last token tok[2]:  F"
> > > mSplit got 3 tokens!
> > > ERROR Line 92 => Content data needs to be enclosed in quotation marks
> (")!
> > >
> > > This is as far as I have gotten in debugging the problem.
> > >
> > > As stated before it does not appear to be WIN32 specific. I have tested
> the
> > > rule on a Debian Linux machine, FreeBSD 4.0 machine, and WIN32. All
> using
> > > default builds (./configure ; make)
> > >
> > > Michael Davis
> > > Chief Technical Officer
> > > Data Nerds, LLC.
> > > http://www.datanerds.net
> > >
> > > > all characters should be in range from 0x1f - 0x7e (strange, I would
> put
> > > > 0x20 for startes, and 0x80 for endings ;-)), if character is `|' and
> it's
> > > > not prepended by literal character ('\') parser enters hex mode, where
> > > > only 0-9a-fA-F  (verified by isxdigit(3)) and spaces are allowed. |
> > > > switches back to `normal' mode. That's it.
> > > >
> > > > By the way, would you mind to elaborate `have the problem'. Are you
> > > > getting any error message or the rule just `doesn't seem to work'?
> (sorry
> > > > if I missed any details in earlier posts under this thread).
> > > >
> > > >
> > > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> > >
> >
> >
> >
> >
> >
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list