Project

General

Profile

Actions

Bug #1488

closed

stream_size <= and >= modifiers function as < and > (equality is not functional)

Added by Charles Smutz over 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

for the stream_size keyword, the <= and >= modifiers function the same as the < and > modifiers respectively. When the = modifier matches, the <= and >= modifiers do not match.

When the following rules are applied to the specified pcap:


#rules intended to be applied to https://csmutz.com/smusec_files/alice_full.pcap

alert tcp any any -> any any (msg:"=137"; stream_size:client,=,137; content:"GET "; sid:517301; rev:1;)
alert tcp any any -> any any (msg:"!=137"; stream_size:client,!=,137; content:"GET "; sid:517302; rev:1;)
alert tcp any any -> any any (msg:">137"; stream_size:client,>,137; content:"GET "; sid:517303; rev:1;)
alert tcp any any -> any any (msg:"<137"; stream_size:client,<,137; content:"GET "; sid:517304; rev:1;)
alert tcp any any -> any any (msg:">=137"; stream_size:client,>=,137; content:"GET "; sid:517305; rev:1;)
alert tcp any any -> any any (msg:"<=137"; stream_size:client,<=,137; content:"GET "; sid:517306; rev:1;)

alert tcp any any -> any any (msg:"=138"; stream_size:client,=,138; content:"GET "; sid:517311; rev:1;)
alert tcp any any -> any any (msg:"!=138"; stream_size:client,!=,138; content:"GET "; sid:517312; rev:1;)
alert tcp any any -> any any (msg:">138"; stream_size:client,>,138; content:"GET "; sid:517313; rev:1;)
alert tcp any any -> any any (msg:"<138"; stream_size:client,<,138; content:"GET "; sid:517314; rev:1;)
alert tcp any any -> any any (msg:">=138"; stream_size:client,>=,138; content:"GET "; sid:517315; rev:1;)
alert tcp any any -> any any (msg:"<=138"; stream_size:client,<=,138; content:"GET "; sid:517316; rev:1;)

alert tcp any any -> any any (msg:"=139"; stream_size:client,=,139; content:"GET "; sid:517321; rev:1;)
alert tcp any any -> any any (msg:"!=139"; stream_size:client,!=,139; content:"GET "; sid:517322; rev:1;)
alert tcp any any -> any any (msg:">139"; stream_size:client,>,139; content:"GET "; sid:517323; rev:1;)
alert tcp any any -> any any (msg:"<139"; stream_size:client,<,139; content:"GET "; sid:517324; rev:1;)
alert tcp any any -> any any (msg:">=139"; stream_size:client,>=,139; content:"GET "; sid:517325; rev:1;)
alert tcp any any -> any any (msg:"<=139"; stream_size:client,<=,139; content:"GET "; sid:517326; rev:1;)

The following alerts are generated:

06/19/2010-14:12:54.632936  [**] [1:517302:1] !=137 [**] [Classification: (null)] [Priority: 3] {TCP}
06/19/2010-14:12:54.632936  [**] [1:517303:1] >137 [**] [Classification: (null)] [Priority: 3] {TCP}
06/19/2010-14:12:54.632936  [**] [1:517305:1] >=137 [**] [Classification: (null)] [Priority: 3] {TCP}
06/19/2010-14:12:54.632936  [**] [1:517311:1] =138 [**] [Classification: (null)] [Priority: 3] {TCP}
06/19/2010-14:12:54.632936  [**] [1:517322:1] !=139 [**] [Classification: (null)] [Priority: 3] {TCP}
06/19/2010-14:12:54.632936  [**] [1:517324:1] <139 [**] [Classification: (null)] [Priority: 3] {TCP}
06/19/2010-14:12:54.632936  [**] [1:517326:1] <=139 [**] [Classification: (null)] [Priority: 3] {TCP}

Alerts for >=138 (517315) and <=138 (517316) should occur as =138(517311) does.

The following alerts were generated on 2.1beta4 but the same issue exists in previous issues.

Actions

Also available in: Atom PDF