[Snort-users] depth?

Chris Green cmg at ...671...
Wed Jan 10 18:35:17 EST 2001


sub_depth = p->dsize; // - (idx->offset + idx->depth); /* we want to match depth bytes anyway */

at about line 541 and 639 in sp_pattern_match.c

with depth 32 and a dsize of 30,  sub_depth was equal to -2 so it was 
searching -2 bytes into the packet.

now, it will only go to dsize bytes into the packet no matter what the
offset says. Would some one verify that this is a correct solution?

Chris Green <cmg at ...671...> writes:

> Max Vision <vision at ...4...> writes:
> 
> > For example the following rule does not work (depth of 1 or higher):
> > alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; 
> > content: "|07|version"; nocase; depth: 32;)
> > 
> > but this does (depth is zero or omitted):
> > alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; 
> > content: "|07|version"; nocase; depth: 0;)
> > 
> > Can anyone else confirm on this or other platforms?
> 
> Seeing your message right after mine, depth of 29 works but does not
> work when depth exceeds the payload length.  This is on a redhat 6.2
> box.
> 
> -- 
> Chris Green <cmg at ...671...>
> You now have 14 minutes to reach minimum safe distance.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Chris Green <cmg at ...671...>
A good pun is its own reword.




More information about the Snort-users mailing list