Hosting Provided By

Re: [Snort-sigs] Announcing sp_perl

From: Chris Green <cmg(at)sourcefire.com>
Date: Mon May 12 2003 - 09:05:50 EDT

Jeff Nathan <jeff@snort.org> writes:

> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian

Religious issues aside,

otn->ds_list[PLUGIN_PERL] = (PerlData *)calloc(sizeof(PerlData), sizeof(u_int8_t));

should be checked

2)
+ /* room for a full-sized IP packet + null terminator */ + memset(tmp_payload, 0, 65537);

That could be switched to dsize and usually average a 500 byte memset.

Do you need help?

3) tmp_payload[p->dsize - 1] ='\0';

that ends up being tmp_payload[0xFFFFFFFF] = '\0' on 0 byte packets.

4) dinky optimization
0

        snprintf(srcport, 6, "%hu", 0);
        snprintf(dstport, 6, "%hu", 0);

    can be just
        srcport = "0";
        dstport = "0";

I don't have enough time to look understand the rest.

-- 
Chris Green 
Fame may be fleeting but obscurity is forever.

------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs

application/pgp-signature attachment: stored

Received on Mon May 12 09:52:08 2003

This message: [ Message body ]
Next message: Randall S Jew: "[Snort-sigs] snort 2.0 problems"
In reply to Jeff Nathan: "[Snort-sigs] Announcing sp_perl"
Next in thread: Brian: "[Snort-sigs] RE-Announcing sp_perl"
Reply: Brian: "[Snort-sigs] RE-Announcing sp_perl"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT