[Snort-users] depth?

jh jh at ...1121...
Wed Jan 10 16:56:05 EST 2001


Max Vision wrote:
> 
> Some recent change in sp_pattern_match.c may have broken the depth keyword
> (tested on Redhat7.0)?
> 
> For example the following rule does not work (depth of 1 or higher):
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version";
> content: "|07|version"; nocase; depth: 32;)
> 
> but this does (depth is zero or omitted):
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version";
> content: "|07|version"; nocase; depth: 0;)
> 

Yeah, that's exactly what Chris Green and I were banging around. This
problem also exists on freebsd 4.2-release and redhat 6.2.

/jh




More information about the Snort-users mailing list