Snort mailing list archives
Re: [Snort-sigs] Announcing sp_perl
From: Chris Green <cmg () sourcefire com>
Date: Mon, 12 May 2003 09:05:50 -0400
Jeff Nathan <jeff () snort org> writes:
As described in our CanSecWest/core03 presentation, Advanced IDS, Brian Caswell and I are proud to present a new detection plugin for Snort: sp_perl. This detection plugin offers users full regular expression matching within a Snort rule as well as runtime execution of perl code.
Religious issues aside, 1) otn->ds_list[PLUGIN_PERL] = (PerlData *)calloc(sizeof(PerlData), sizeof(u_int8_t)); should be checked 2) + /* room for a full-sized IP packet + null terminator */ + memset(tmp_payload, 0, 65537); That could be switched to dsize and usually average a 500 byte memset. 3) tmp_payload[p->dsize - 1] ='\0'; that ends up being tmp_payload[0xFFFFFFFF] = '\0' on 0 byte packets. 4) dinky optimization 0 snprintf(srcport, 6, "%hu", 0); snprintf(dstport, 6, "%hu", 0); can be just srcport = "0"; dstport = "0"; I don't have enough time to look understand the rest. -- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever.
Attachment:
_bin
Description:
Current thread:
- Announcing sp_perl Jeff Nathan (May 10)
- Re: [Snort-sigs] Announcing sp_perl Chris Green (May 12)
- RE-Announcing sp_perl Brian (May 13)