signature does not alert or drop
this signature can be used to drop http connections:
drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1; content:"/";)
but this signature can't be:
drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1;)
so for some reason we need a content match to be able to match.
I suspect somehow the setting of the SIG_FLAG_PAYLOAD flag in a signature has something to do with it.
Please add a unittest on the matching itself and confirm that the patch properly drops.
Updated by Pablo Rincon about 11 years ago
- File 0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch 0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch added
- Status changed from New to Feedback
Hi, I have attached a patch that avoid flagging the sig as "decoder event only", so now it gets grouped correctly and properly triggered. Anyway, we need to flag signatures with something to tell that they have "decoder event" checks. And later update the function that tells if it's a decoder event only sig or not.