Bug #188
closedSnort now supports byte_test <= >= operators so should we.
Description
It seems somewhere along the way snort implemented support for <= >= for byte_test and currently VRT rule sid:16603 uses a byte_test operator in this way. We should support the same. The example rules below should all match when processing the attached pcap.
alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,=,0,0,relative,string,dec; classtype:bad-unknown; sid:123; rev:1;)
alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,<=,0,0,relative,string,dec; classtype:bad-unknown; sid:124; rev:1;)
alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,>=,0,0,relative,string,dec; classtype:bad-unknown; sid:125; rev:1;)
Files
VJ Updated by Victor Julien over 15 years ago
- Due date set to 11/19/2010
- Status changed from New to Assigned
- Assignee changed from Victor Julien to Gurvinder Singh
- Target version changed from TBD to 1.1beta1
Gurvinder, adding this shouldn't be hard. Can you do this and unittest it as well?
GS Updated by Gurvinder Singh over 15 years ago
- File 0001-add-the-support-for-and-operator-for-byte_test.patch 0001-add-the-support-for-and-operator-for-byte_test.patch added
- Status changed from Assigned to Resolved
- % Done changed from 0 to 90
Attached patch added the support for above mentioned operators.
VJ Updated by Victor Julien over 15 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Patch applied, thanks Gurvinder.