Bug #146
closedisdataat + relative does not work when previous keyword is byte_jump
Description
isdataat + relative does not work when previous keyword is byte_jump. This is supported by snort we should do the same.
[3499] 4/5/2010 -- 19:41:06 - (detect-isdataat.c:253) <Error> (DetectIsdataatSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Unknown previous keyword!
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"byte_jump match = 0 with distance content HTTP/1. relative against HTTP/1.0"; byte_jump:1,46,string,dec; isdataat:87,relative; classtype:bad-unknown; sid:109; rev:1;)" from file /home/coz/allworkplain.rules at line 225
snort output.
01/04-12:29:26.927934 [**] [1:109:1] byte_jump match = 0 with distance content HTTP/1. relative against HTTP/1.0 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
Files
Updated by Gurvinder Singh over 14 years ago
- Assignee changed from OISF Dev to Gurvinder Singh
Updated by Gurvinder Singh over 14 years ago
- File 0003-fixed-setting-up-byte_test-relative-when-byte_jump-i.patch 0003-fixed-setting-up-byte_test-relative-when-byte_jump-i.patch added
- Status changed from New to Resolved
- % Done changed from 0 to 90
Attached patch fix the given issue. Patch is incremental to the patch of bug 144.
Updated by Victor Julien over 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Patch applied, thanks Gurvinder.