[Snort-users] invalid use of byte_test on sid:16603

Will Metcalf william.metcalf at ...11827...
Thu Jun 24 15:30:50 EDT 2010


Haha... Well I guess thanks for silently fixing this ;-).... Maybe you
should update the snort manual to reflect this eh?

Regards,

Will

case '<': idx->operator = BT_LESS_THAN;
break;

case '>': idx->operator = BT_GREATER_THAN;
break;

Is now...

            case '>': idx->operator = BT_GREATER_THAN;
                      cptr++;
                      if (*cptr == '=')
                          idx->operator = BT_GREATER_THAN_EQUAL;
                      else
                          cptr--;
                      break;

           case '<': idx->operator = BT_LESS_THAN;
                      cptr++;
                      if (*cptr == '=')
                          idx->operator = BT_LESS_THAN_EQUAL;
                      else
                          cptr--;
                      break;

Regards,

Will

On Thu, Jun 24, 2010 at 11:21 AM, Will Metcalf
<william.metcalf at ...11827...> wrote:
> Unless something has changed I think the use of byte_test in sid:16603
> is invalid as snort only parses the first char in ">=", actually
> making the test byte_test:4,>,97612894,0,relative,little;. Also I have
> the registered feed so if this is fixed already please disregard.
>
> So I think you probably want to modify...
>
> byte_test:4,>=,97612894,0,relative,little;
>
> to be..
>
> byte_test:4,>,97612893,0,relative,little;
>
> Regards,
>
> Will
>




More information about the Snort-users mailing list