Re: [Snort-devel] Bug in ByteTest() function / byte_test keyword on little endian systems?

"Jason V. Miller" <jmiller@securityfocus.com> writes:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 \

[...]

> I have a few questions about this.

I believe it comes from the | use for conversion and requiring knowledge of how the host stores it's ints. See comments below.

> As the packet data is stored in memory as an array of unsigned chars

Yes I will agree that's a bug, stemming from almost all the test cases we'd performed were 4 byte values. The comment about most of us using big endian machines was accurate for when this was developed. However, everyone but Marty will be using little endian machines after this week.

> Both little endian and big endian machines should be able to perform

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

Yes that is much easier to read. Thanks for the detailed analysis. I'll spend some time converting that and making byte_jump and byte_test use the same code path for this operation ( something that was already on my todo list )

Thanks,
Chris

-- 
Chris Green 
A watched process never cores.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel