Project

General

Profile

Actions

Bug #113

closed

signature with a within arg which is less than the content length should be invalidated

Added by Anoop Saldanha almost 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

A signature which has content:one; content:two; within:2; is invalid since the within arg has to be >= strlen(content) for which it is specified.


Files

0001-fix-for-bug-113.patch (5 KB) 0001-fix-for-bug-113.patch Anoop Saldanha, 03/03/2010 05:28 AM
Actions #1

Updated by Victor Julien almost 15 years ago

  • Estimated time changed from 0.00 h to 1.00 h

Please make sure we error out on sigs like this. Please add a unittest as well! Thanks!

Actions #3

Updated by Victor Julien almost 15 years ago

I'm not convinced this is the right approach. Are there existing sigs that rely on automagically fixing this at parse time? Does Snort accept or reject these sigs?

Actions #4

Updated by Will Metcalf almost 15 years ago

As of 2.8.6 snort rejects these signatures.

within (3) is smaller than size of pattern
Fatal Error, Quitting..

Actions #5

Updated by Victor Julien almost 15 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Applied, thanks Anoop & Will.

Actions

Also available in: Atom PDF