[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Bad range in Snort rules
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2013-12-16 17:00:32
Message-ID: 83C383A2-8822-42E6-8B78-60A4651097C2 () cisco ! com
[Download RAW message or body]
Lukas, yes, this will be fixed in an upcoming release.
--
Joel Esler
Intelligence Lead
OpenSource Manager
Vulnerability Research Team
Jabber: jesler@cisco.com<mailto:jesler@cisco.com>
On Dec 16, 2013, at 5:12 AM, Lukas Matt \
<lukas.matt@sophos.com<mailto:lukas.matt@sophos.com>> wrote:
Hey guys,
I ran into following error message "Bad range: 4294967296"
That affect rule 28519 and 28514. The problem here is following part:
byte_test:4,>,4294967296,18,relative,little;
Under 32bit the maximum Int is 2^32-1 but in the rule you forgot to subtract 1.
I checked also the documentation and the maximum for your byte_test is 4294967295.
Could you double check that?
Cheers,
Lukas
--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: +49-721-25516-322, cell: +49-174-3440-555
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, \
Günter Junk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"> Lukas, yes, this will be fixed in an upcoming release.
<div><br>
</div>
<div><span style="font-family: 'Lucida Grande';">--</span><br>
<span style="font-family: 'Lucida Grande';"><b>Joel Esler</b></span><br>
<span style="font-family: 'Lucida Grande';">Intelligence Lead</span><br>
<span style="font-family: 'Lucida Grande';">OpenSource Manager</span><br>
<span style="font-family: 'Lucida Grande';">Vulnerability Research Team</span><br>
<span style="font-family: 'Lucida Grande';">Jabber: <a \
href="mailto:jesler@cisco.com"> jesler@cisco.com</a></span></div>
<div><font face="Lucida Grande"><br>
</font>
<div>
<div>On Dec 16, 2013, at 5:12 AM, Lukas Matt <<a \
href="mailto:lukas.matt@sophos.com">lukas.matt@sophos.com</a>> wrote:</div> <br \
class="Apple-interchange-newline"> <blockquote type="cite">
<div text="#000000" bgcolor="#FFFFFF">Hey guys,<br>
<br>
I ran into following error message "Bad range: 4294967296"<br>
That affect rule 28519 and 28514. The problem here is following part:<br>
<blockquote>byte_test:4,>,4294967296,18,relative,little;</blockquote>
Under 32bit the maximum Int is 2^32-1 but in the rule you forgot to subtract 1.<br>
I checked also the documentation and the maximum for your byte_test is \
4294967295.<br> <br>
Could you double check that?<br>
<br>
Cheers,<br>
Lukas<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Lukas Matt
Deep Packet Inspection Researcher, RnD
tel: +49-721-25516-322, cell: +49-174-3440-555
Sophos Technology GmbH
Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
SOPHOS Security made simple
---
Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
Executive Board: Nicholas Bray, Pino von Kienlin, Richard Walford, Joachim Frost, \
Günter Junk</pre> </div>
------------------------------------------------------------------------------<br>
Rapidly troubleshoot problems before they affect your business. Most IT <br>
organizations don't have a clear picture of how application performance <br>
affects their revenue. With AppDynamics, you get 100% visibility into your <br>
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics \
Pro!<br> <a href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ \
ostg.clktrk_______________________________________________">http://pubads.g.doubleclic \
k.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________</a><br>
Snort-sigs mailing list<br>
Snort-sigs@lists.sourceforge.net<br>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<br>
http://www.snort.org<br>
<br>
<br>
Please visit http://blog.snort.org for the latest news about Snort!</blockquote>
</div>
<br>
</div>
</body>
</html>
[Attachment #4 (--===============2634830685067490762==)]
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic