Bug #113
closed
signature with a within arg which is less than the content length should be invalidated
Added by Anoop Saldanha over 14 years ago.
Updated over 14 years ago.
Description
A signature which has content:one; content:two; within:2; is invalid since the within arg has to be >= strlen(content) for which it is specified.
Files
- Estimated time changed from 0.00 h to 1.00 h
Please make sure we error out on sigs like this. Please add a unittest as well! Thanks!
I'm not convinced this is the right approach. Are there existing sigs that rely on automagically fixing this at parse time? Does Snort accept or reject these sigs?
As of 2.8.6 snort rejects these signatures.
within (3) is smaller than size of pattern
Fatal Error, Quitting..
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied, thanks Anoop & Will.
Also available in: Atom
PDF