Project

General

Profile

Actions
Copy link

Bug #221

closed

signature does not alert or drop

Added by Victor Julien over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
High
Assignee:
Pablo Rincon
Target version:
1.0.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

this signature can be used to drop http connections:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1; content:"/";)

but this signature can't be:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1;)

so for some reason we need a content match to be able to match.

I suspect somehow the setting of the SIG_FLAG_PAYLOAD flag in a signature has something to do with it.

Please add a unittest on the matching itself and confirm that the patch properly drops.

Files

0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch (2.29 KB) 0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch avoid flagging the sig as "decoder event only", so now it gets grouped correctly and properly triggered Pablo Rincon, 07/28/2010 07:53 AM
Actions
Copy link
 #1

Updated by Pablo Rincon over 13 years ago

Hi, I have attached a patch that avoid flagging the sig as "decoder event only", so now it gets grouped correctly and properly triggered. Anyway, we need to flag signatures with something to tell that they have "decoder event" checks. And later update the function that tells if it's a decoder event only sig or not.

Actions
Copy link
 #2

Updated by Victor Julien over 13 years ago

  • Status changed from Feedback to Closed
  • % Done changed from 0 to 100

Applied your patch but made some modifications to actually check if the sig contains a decoder event keyword.

Actions
Copy link

Also available in: Atom PDF