Project

General

Profile

Actions
Copy link

Bug #221

closed

signature does not alert or drop

Added by Victor Julien over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
Pablo Rincon
Target version:
1.0.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

this signature can be used to drop http connections:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1; content:"/";)

but this signature can't be:

drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link"; sid:1;)

so for some reason we need a content match to be able to match.

I suspect somehow the setting of the SIG_FLAG_PAYLOAD flag in a signature has something to do with it.

Please add a unittest on the matching itself and confirm that the patch properly drops.

Files

0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch (2.29 KB) 0001-Fix-for-bug221-avoid-considering-sig-as-decoder-even.patch avoid flagging the sig as "decoder event only", so now it gets grouped correctly and properly triggered Pablo Rincon, 07/28/2010 07:53 AM
Actions
Copy link

Also available in: Atom PDF