Re: [Snort-sigs] Announcing sp_perl

[Chris Green <cmg () sourcefire com>]

Jeff Nathan <jeff () snort org> writes:

> As described in our CanSecWest/core03 presentation, Advanced IDS, Brian 
> Caswell and I are proud to present a new detection plugin for Snort: 
> sp_perl.  This detection plugin offers users full regular expression 
> matching within a Snort rule as well as runtime execution of perl
> code.

Religious issues aside,

1)  otn->ds_list[PLUGIN_PERL] = (PerlData *)calloc(sizeof(PerlData),
                                 sizeof(u_int8_t));

    should be checked

2)
+    /* room for a full-sized IP packet + null terminator */
+    memset(tmp_payload, 0, 65537);

  That could be switched to dsize and usually average a 500 byte memset.

3) tmp_payload[p->dsize - 1] ='\0';

   that ends up being tmp_payload[0xFFFFFFFF] = '\0' on 0 byte packets.


4) dinky optimization
0
        snprintf(srcport, 6, "%hu", 0);
        snprintf(dstport, 6, "%hu", 0);

    can be just
        srcport = "0";
        dstport = "0";

I don't have enough time to look understand the rest.
-- 
Chris Green <cmg () sourcefire com>
Fame may be fleeting but obscurity is forever.

Attachment: _bin
Description: