4 Feb
2011
4 Feb
'11
6:02 p.m.
(Last one for today, I promise)
Given these two signatures:
signature s2b-1939-4 {
ip-proto == udp
dst-port == 67
# Not supported: byte_test: 1,>,6,2
event "MISC bootp hardware address length overflow"
payload /\x01/
}
signature s2b-1940-3 {
ip-proto == udp
dst-port == 67
# Not supported: byte_test: 1,>,7,1
event "MISC bootp invalid hardware type"
payload /\x01/
}
We see both of them (which I'm about to ignore), but I don't understand
why one is triggered over the other.
Thanks,
Dop
4 Feb
4 Feb
6:59 p.m.
On Feb 4, 2011, at 12:02 PM, Dop wrote:
signature s2b-1939-4 {
ip-proto == udp
dst-port == 67
# Not supported: byte_test: 1,>,6,2
event "MISC bootp hardware address length overflow"
payload /\x01/
}
signature s2b-1940-3 {
ip-proto == udp
dst-port == 67
# Not supported: byte_test: 1,>,7,1
event "MISC bootp invalid hardware type"
payload /\x01/
}
We see both of them (which I'm about to ignore), but I don't understand
why one is triggered over the other.
It's definitely best to get rid of both of those signatures. They aren't even
matching what they claim to be matching because of those "Not supported" lines.
It's just an internal implementation detail as to which one gets triggered because
the signature engine is going to look to see which one matched and it will trigger the
first one that it finds and then stop.
Pretty much anything that says "s2b" (snort2bro) will be gone from the next
release and can even currently can be ignored. The snort2bro code has already been
completely removed from the work repository
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
4129
days inactive
4129
days old
1 comments
2 participants
participants (2)
-
Dop -
Seth Hall