Hosting Provided By

[Snort-devel] depth, content-list bugs?

From: Andrew Chi <achi(at)mitre.org>
Date: Wed Jul 30 2003 - 12:04:24 EDT

Hello,

The way I understood the wording for the definition of depth in chap 2.3.11: "This sets the maximum search depth for the content pattern match function to search from the beginning of its search region." was to mean that the depth specifies the last offset where the beginning of the content could match, but this is not quite the case:

scenario1

if "asdf" were at the very beginning of the payload.

example1

content: "asdf";
offset: 0;
depth: 0;

scenario1 should only be matched by example1, however in practice, example2 also matches scenario1:

example2

content: "asdf";
offset: 0;
depth: 4;

yet, example3 will not match scenario1

example3

content: "asdf";
offset: 0;
depth: 2;

Do you need help?

so in practice depth really specifies "the maximum offset into the payload
that the end of the content could match."

sticking to this definition there is a minor bug with example1 being able to match everything (depth=0), when in fact it should match nothing.

however, if implemented according to the original definition, example1 should only match items that are at the beginning of the payload. however, i'm guessing if it were re-implemented that way, a lot of rules would get broken.

could you add to the documentation for "depth" in chap. 2.3.11 a more exact example and explanation, the vague example does not tell me enough about the exact operation of "depth". of course i could pour over the source and find out, but isn't documentation there so that i don't have to waste so much time doing that? one might also say that i could just test it out, which i did, and was misled because of the success of example1, which led me to believe the original definition was correct.

on a side note,

"offset", "depth", "nocase" attributes aren't applied to "content-list" parameters, is this the planned behavior?

thanx,
drew

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Jul 30 12:09:59 2003

This message: [ Message body ]
Next message: stephane: "Re: [Snort-devel] depth, content-list bugs?"
Previous message: Patrick McGleenon: "[Snort-devel] help with building snort 2.0.1 on sparc linux"
Next in thread: stephane: "Re: [Snort-devel] depth, content-list bugs?"
Reply: stephane: "Re: [Snort-devel] depth, content-list bugs?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT

Do you need more help?