[Snort-users] Re: [Snort-sigs] Announcing sp_perl

Chris Green cmg at ...1935...
Mon May 12 06:07:22 EDT 2003


Jeff Nathan <jeff at ...950...> writes:

> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian 
> Caswell and I are proud to present a new detection plugin for Snort: 
> sp_perl.  This detection plugin offers users full regular expression 
> matching within a Snort rule as well as runtime execution of perl
> code.

Religious issues aside,

1)  otn->ds_list[PLUGIN_PERL] = (PerlData *)calloc(sizeof(PerlData),
                                 sizeof(u_int8_t));

    should be checked

2)
+    /* room for a full-sized IP packet + null terminator */
+    memset(tmp_payload, 0, 65537);

  That could be switched to dsize and usually average a 500 byte memset.

3) tmp_payload[p->dsize - 1] ='\0';

   that ends up being tmp_payload[0xFFFFFFFF] = '\0' on 0 byte packets.


4) dinky optimization
0
        snprintf(srcport, 6, "%hu", 0);
        snprintf(dstport, 6, "%hu", 0);

    can be just
        srcport = "0";
        dstport = "0";

I don't have enough time to look understand the rest.
-- 
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030512/cf3956c2/attachment.sig>


More information about the Snort-users mailing list