Project

General

Profile

Actions

Bug #13

closed

Depth is not modified by offset

Added by Will Metcalf about 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

given a packet with the following payload

AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy

The following rules should fire as it is the behavior of snort to modify depth to however many bytes are specified by offset. I have attached a unit test showing this behavior

alert tcp any any -> any any (msg:"all work and no play"; content:"Work"; offset: 3; depth: 4; sid:1;)
alert tcp any any -> any any (msg:"all work and no play hex"; content:"|57 6F 72 6B|"; offset: 3; depth: 4; sid:2;)


Files

0001-failing-unit-test-depth-doesn-t-take-into-account-of.patch (2.87 KB) 0001-failing-unit-test-depth-doesn-t-take-into-account-of.patch unit test showing that depth does not take into account offset Will Metcalf, 11/24/2009 09:51 PM
Actions

Also available in: Atom PDF