Project

General

Profile

Actions
Copy link

Bug #1

closed

within doesn't respect distance while carrying out a match

Added by Victor Julien over 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
0.8.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

A signature containing content:"abc"; distance:1; within:3; can never match. The signature parser needs to detect this, print a error message and invalidate the signature.

^ Changing the problem statement to what Will has specified\

This actually valid. In snort distance moves where to begin searching for the match. So lets look at the following rule.

alert tcp any any -> any any (msg:"AllWorkAndNoPlay"; content:"AllWorkAndNoPlayMakesWill"; content:"DullBoy"; distance:1; within:7; sid:2;)

and the string

AllWorkAndNoPlayMakesWillADullBoy

In snort this will match as we simply move where to start looking for the within match here we move 1 byte past the end of the previous match skipping over the "A". Since "DullBoy" is seven bytes this rule alerts.

01/04-11:29:26.927934 [**] [1:2:0] AllWorkAndNoPlay [**] [Priority: 0] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
01/04-11:29:26.981495 [**] [1:2:0] AllWorkAndNoPlay [**] [Priority: 0] {TCP} 209.85.225.105:80 -> 192.168.2.3:39867

Files

Download all files
0001-Fix-for-bug-1.-Fixes-the-conflict-between-distance.patch (4.93 KB) 0001-Fix-for-bug-1.-Fixes-the-conflict-between-distance.patch Anoop Saldanha, 02/17/2010 07:23 AM
allworkandnoplayplain.pcap (2.7 KB) allworkandnoplayplain.pcap AllWorkAndNoPlayMakesWillADullBoy pcap Will Metcalf, 02/17/2010 08:18 AM
0001-Fix-for-bug-1.-Update-distance-within-keyword-to-be.patch (38.6 KB) 0001-Fix-for-bug-1.-Update-distance-within-keyword-to-be.patch Anoop Saldanha, 03/02/2010 03:05 AM
Actions
Copy link

Also available in: Atom PDF