Project

General

Profile

Actions

Bug #221

closed

signature does not alert or drop

Added by Victor Julien about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

this signature can be used to drop http connections:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1; content:"/";)

but this signature can't be:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1;)

so for some reason we need a content match to be able to match.

I suspect somehow the setting of the SIG_FLAG_PAYLOAD flag in a signature has something to do with it.

Please add a unittest on the matching itself and confirm that the patch properly drops.


Files

0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch (2.29 KB) 0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch avoid flagging the sig as "decoder event only", so now it gets grouped correctly and properly triggered Pablo Rincon, 07/28/2010 07:53 AM
Actions #1

Updated by Pablo Rincon about 11 years ago

Hi, I have attached a patch that avoid flagging the sig as "decoder event only", so now it gets grouped correctly and properly triggered. Anyway, we need to flag signatures with something to tell that they have "decoder event" checks. And later update the function that tells if it's a decoder event only sig or not.

Actions #2

Updated by Victor Julien about 11 years ago

  • Status changed from Feedback to Closed
  • % Done changed from 0 to 100

Applied your patch but made some modifications to actually check if the sig contains a decoder event keyword.

Actions

Also available in: Atom PDF