Bug #13
closedDepth is not modified by offset
Description
given a packet with the following payload
AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy
The following rules should fire as it is the behavior of snort to modify depth to however many bytes are specified by offset. I have attached a unit test showing this behavior
alert tcp any any -> any any (msg:"all work and no play"; content:"Work"; offset: 3; depth: 4; sid:1;)
alert tcp any any -> any any (msg:"all work and no play hex"; content:"|57 6F 72 6B|"; offset: 3; depth: 4; sid:2;)
Files