Bug #13
closedDepth is not modified by offset
Description
given a packet with the following payload
AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy
The following rules should fire as it is the behavior of snort to modify depth to however many bytes are specified by offset. I have attached a unit test showing this behavior
alert tcp any any -> any any (msg:"all work and no play"; content:"Work"; offset: 3; depth: 4; sid:1;)
alert tcp any any -> any any (msg:"all work and no play hex"; content:"|57 6F 72 6B|"; offset: 3; depth: 4; sid:2;)
Files
Updated by Victor Julien about 15 years ago
- Estimated time changed from 0.50 h to 2.50 h
Updated by Victor Julien almost 15 years ago
- Assignee changed from OISF Dev to Victor Julien