[Snort-users] Bad matching of new zone transfer rule by snort?

Fyodor fygrave at ...121...
Mon Oct 9 06:51:05 EDT 2000


On Fri, Oct 06, 2000 at 11:17:29PM -0400, Martin Roesch wrote:
> Hmm, interesting.  I just tested this rule out and it's firing correctly on my
> 1.6.3-patch2 setup.  Are you sure that that was the correct packet?  I'm
> wondering why it collected that particular packet and none of the others in
> the connection with the PA flags set...
> 
 
 Ok here's the patch. I'd appreciate if you could test it out and let me know
 whether it fixes the problem. If the source of the problem which I identified, is correct,
 then we are still passing `dsize' length of buffer to match even if we're starting matching
 the pattern from offset. This causes some data (left from previous packet?) being accounted
 as well.. anyway, let me know if this helps and I will commit it tonight.

--- sp_pattern_match.c.orig	Fri Oct  6 15:27:40 2000
+++ sp_pattern_match.c	Mon Oct  9 17:36:25 2000
@@ -551,8 +551,9 @@
 		    idx->pattern_size, idx->skip_stride, idx->shift_stride);
 		} else
 		{
-		    found = idx->search((p->data + idx->offset), p->dsize, idx->pattern_buf,
-		    idx->pattern_size, idx->skip_stride, idx->shift_stride);
+		  if (p->dsize - idx->offset > 0) 	
+		    	found = idx->search((p->data + idx->offset), p->dsize - idx->offset ,
+			idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride);
 		}
 
 		if (!found)
@@ -659,8 +660,9 @@
                 }
                 else
                 {
-                    found = idx->search((char *)(p->data+idx->offset), p->dsize, idx->pattern_buf,
-                                        idx->pattern_size, idx->skip_stride, idx->shift_stride);
+                    if(p->dsize - idx->offset > 0) 
+			    found = idx->search((char *)(p->data+idx->offset), p->dsize - idx->offset,
+			    idx->pattern_buf, idx->pattern_size, idx->skip_stride, idx->shift_stride);
                 }
 
                 if (!found)



More information about the Snort-users mailing list