Project

General

Profile

Actions
Copy link

Bug #188

closed

Snort now supports byte_test <= >= operators so should we.

Added by Will Metcalf over 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Gurvinder Singh
Target version:
1.1beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

It seems somewhere along the way snort implemented support for <= >= for byte_test and currently VRT rule sid:16603 uses a byte_test operator in this way. We should support the same. The example rules below should all match when processing the attached pcap.

alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,=,0,0,relative,string,dec; classtype:bad-unknown; sid:123; rev:1;)
alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,<=,0,0,relative,string,dec; classtype:bad-unknown; sid:124; rev:1;)
alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,>=,0,0,relative,string,dec; classtype:bad-unknown; sid:125; rev:1;)

Files

Download all files
allworkandnoplayplain.pcap (2.7 KB) allworkandnoplayplain.pcap pcap for testing byte_test operators Will Metcalf, 06/25/2010 07:44 AM
0001-add-the-support-for-and-operator-for-byte_test.patch (5.11 KB) 0001-add-the-support-for-and-operator-for-byte_test.patch Gurvinder Singh, 11/15/2010 06:28 PM
Actions
Copy link

Also available in: Atom PDF