SnortCenter 2.x / Bugs / #2 bad arguments to byte

#2 bad arguments to byte_test

Status: open-fixed

Owner: Jason Alexander

Labels: None

Priority: 5

Updated: 2005-01-13

Created: 2004-03-03

Creator: Anonymous

Private: No

Jason, I appreciate you picking up snortcenter. I also
have tried to contact the author, without success.
I ran into the issue on rule 2379 for example where I get
a byte_test error. I had this with the previous version of
snortcenter and had to make some modifications to
bypass this error. I would be willing to supply these
modifications if you are interested. Basically it consists
of adding a sequence number to the content table so
that the content rules are maintained in sequence, then
removing the text "byte_jump" and "byte_test" in the
respective fields. I have reviewed a number of rules with
this modification, and it appears to keep the proper
syntax. This change could also likely be applied to the
uri-content table, or even better, to merge content and
uri-content table as I don't see a lot of difference in
them.

Dave Fennell
dfennell@talisman-energy.com

Discussion

Jason Alexander - 2004-03-03

assigned_to: nobody --> jaalex
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-03

Logged In: YES
user_id=984574

I'll take a look at that rule tonight. I thought I had the
problems with them fixed as I was able to import all the rules
that were in the 2.1 gzip about a week ago. If you want to
send the patches that would be great. I'll take a look at them

I have to say that Byte Jump and Byte Test are the worst
parts of the rules to deal with

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-04

Logged In: YES
user_id=984574

Dave,

Your right. Both the Byte_test and Byte_jump are totally
horked. I thought I had them working but while the are
making parsable rules the messing up rules. IF you have
those patches send them on.

Jason

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alex Butcher - 2004-03-05

Logged In: YES
user_id=257968

Does order really matter for uri-content checks? It does for
content/byte_jump/byte_test, but I'm not sure working to
maintain the order of uri-content checks is worth the
effort. Also, I haven't found any rules which use more than
one uri-content check (and presumably they'd only make sense
if logically-ORed anyway, so order won't matter).

Alex B.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-05

Logged In: YES
user_id=984574

Alex,

I didn't think it. I have some time this weekend that I
plan on working on this. I have to see if I can look at the
rules and determine if it matters.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2005-01-13

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

bad arguments to byte_test

Group

Searches

Help

#2 bad arguments to byte_test

Discussion