Actions
Bug #113
closedsignature with a within arg which is less than the content length should be invalidated
Affected Versions:
Effort:
Difficulty:
Label:
Description
A signature which has content:one; content:two; within:2; is invalid since the within arg has to be >= strlen(content) for which it is specified.
Files
Updated by Victor Julien almost 15 years ago
- Estimated time changed from 0.00 h to 1.00 h
Please make sure we error out on sigs like this. Please add a unittest as well! Thanks!
Updated by Anoop Saldanha almost 15 years ago
attached a patch
Updated by Victor Julien almost 15 years ago
I'm not convinced this is the right approach. Are there existing sigs that rely on automagically fixing this at parse time? Does Snort accept or reject these sigs?
Updated by Will Metcalf almost 15 years ago
As of 2.8.6 snort rejects these signatures.
within (3) is smaller than size of pattern
Fatal Error, Quitting..
Updated by Victor Julien almost 15 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied, thanks Anoop & Will.
Actions