Snort mailing list archives
Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal?
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 31 Aug 2010 09:46:46 -0400
On Mon, Aug 30, 2010 at 9:33 PM, <Joshua.Kinard () us-cert gov> wrote:
Hi -devel, Curious question, but does the 'ttl' rule option support the <= and >= operators? SourceFire's manual indicates that it does (Looking at Sourcefire 3D System Analyst Guide, 4.9.1, Page 1204). The Snort manual is not at all clear, stating in just one line: ttl:[[<number>-]><=]<number>; The single '=' in there seems to suggest that <= and >= are possible, but the parser in src/detection-plugins/sp_ttl_check.c:218 (snort-2.8.6) suggests only that less-than, greater-than, and equals are supported. The switch statement does not set ds_ptr->oper to a constant that would indicate lte/gte operations, nor does it bitwise AND TTL_CHECK_EQ to either TTL_CHECK_GT or TTL_CHECK_LT to achieve a similar effect. If 'ttl' does not support <= or >=, then what is the purpose of the '=' for? Would that not make 'ttl:64;' equivalent to 'ttl:=64;'? Or is this a holdover from an earlier version of Snort that required the '=' character to represent equality?
Looks like the manual could be more clear. ttl:64 is the same as ttl:=64. Also, <= and >= are not valid. You can specify eg 1-64 which means <=64. There are also decoder alerts for zero TTL or TTL below the configured minimum. And the same applies to IP6 hop limit. We'll at least get the documentation updated. Russ
Thanks!, --J ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Joshua . Kinard (Aug 30)
- Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Russ Combs (Aug 31)
- Message not available
- Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Russ Combs (Sep 02)
- Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Joshua . Kinard (Sep 02)
- Message not available
- Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Russ Combs (Aug 31)