[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] add fatalerror if within size < content len on
From: Marc Norton <mnorton () sourcefire ! com>
Date: 2007-09-06 20:13:32
Message-ID: 46E05F6C.5020302 () sourcefire ! com
[Download RAW message or body]
Thanks,
We'll check it out.
rmkml wrote:
> Hi,
> Adding this patch for parsing snort rules if within size < content len
> (new results: FatalError), example :
> alert tcp any any -> any any (msg:"test within size < content len";
> flow:to_server,established; content:"POST "; nocase; content:"|FF FF|";
> within:1; distance:0; classtype:attempted-admin; sid:99999998; rev:1;)
> this rules never work because within size < content len (but snort not
> warn before this patch),
>
> any comments ?
> (this patch include little copy ParsePattern() since
> detection-plugins/sp_pattern_match.c)
>
> Credits:
> Crusoe Researches
> http://www.Crusoe-Researches.com
>
> Azwalaro: new nidps open source project (Wireshark based)
> http://www.Crusoe-Researches.com/azwalaro/
> Regards
> Rmkml
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
--
Marc Norton
Sourcefire,Inc 410-423-1924
www.snort.org www.sourcefire.com
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic