Bug #113: signature with a within arg which is less than the content length should be invalidated - Suricata - Open Information Security Foundation

Actions

Bug #113

closed

signature with a within arg which is less than the content length should be invalidated

Added by Anoop Saldanha over 14 years ago. Updated over 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

A signature which has content:one; content:two; within:2; is invalid since the within arg has to be >= strlen(content) for which it is specified.

Files

0001-fix-for-bug-113.patch (5 KB) 0001-fix-for-bug-113.patch

Anoop Saldanha, 03/03/2010 05:28 AM

Actions

#1

Updated by Victor Julien over 14 years ago

Estimated time changed from 0.00 h to 1.00 h

Please make sure we error out on sigs like this. Please add a unittest as well! Thanks!

Actions

#2

Updated by Anoop Saldanha over 14 years ago

File 0001-fix-for-bug-113.patch 0001-fix-for-bug-113.patch added

attached a patch

Actions

#3

Updated by Victor Julien over 14 years ago

I'm not convinced this is the right approach. Are there existing sigs that rely on automagically fixing this at parse time? Does Snort accept or reject these sigs?

Actions

#4

Updated by Will Metcalf over 14 years ago

As of 2.8.6 snort rejects these signatures.

within (3) is smaller than size of pattern
Fatal Error, Quitting..

Actions

#5

Updated by Victor Julien over 14 years ago

Status changed from New to Closed
% Done changed from 0 to 100

Applied, thanks Anoop & Will.

Actions

Also available in: Atom PDF