[Snort-users] depth?

Max Vision vision at ...4...
Wed Jan 10 16:06:24 EST 2001


Some recent change in sp_pattern_match.c may have broken the depth keyword 
(tested on Redhat7.0)?

For example the following rule does not work (depth of 1 or higher):
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; 
content: "|07|version"; nocase; depth: 32;)

but this does (depth is zero or omitted):
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; 
content: "|07|version"; nocase; depth: 0;)

Can anyone else confirm on this or other platforms?

Max





More information about the Snort-users mailing list