'Re: [Snort-devel] add fatalerror if within size < content len on'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re: [Snort-devel] add fatalerror if within size < content len on
From:       Marc Norton <mnorton () sourcefire ! com>
Date:       2007-09-06 20:13:32
Message-ID: 46E05F6C.5020302 () sourcefire ! com
[Download RAW message or body]

Thanks,

We'll check it out.

rmkml wrote:
> Hi,
> Adding this patch for parsing snort rules if within size < content len
> (new results: FatalError), example :
>  alert tcp any any -> any any (msg:"test within size < content len";
> flow:to_server,established; content:"POST "; nocase; content:"|FF FF|";
> within:1; distance:0; classtype:attempted-admin; sid:99999998; rev:1;)
> this rules never work because within size < content len (but snort not
> warn before this patch),
> 
> any comments ?
> (this patch include little copy ParsePattern() since
> detection-plugins/sp_pattern_match.c)
> 
> Credits:
>    Crusoe Researches
>    http://www.Crusoe-Researches.com
> 
>    Azwalaro: new nidps open source project (Wireshark based)
>    http://www.Crusoe-Researches.com/azwalaro/
> Regards
> Rmkml
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


-- 
Marc Norton
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic