Issues with Full format Aho Corasick in Snort 3

[Oskar Olsson <oskarol () student chalmers se>]

Hello there Snort-devel!

We are two students at Chalmer's university of technology, and we are currently working with Snort 3 for our master 
thesis, which relates to the pattern matching in Snort.
We noticed that when we try to print our state machine that we build as AC_FULL in acsmx2, we get very strange 
transitions.

The problem is that, even with a single rule with content:GET, the state machine contains multiple transition states 
that points to very high numbered states, even though the machine only contains 4.

Another strange thing is that the format of each state can vary and be values that should not be possible (such as 
256). We have tested code from Snort 2 and also using the standard AC machine (acmx.cc) and these seem to be producing 
a valid state machine.


To clarify: Using a simple content rule : alert tcp any any -> any any (msg: "Content Rule"; content: "GET"; sid:1;)
we get states that contains multiple transitions to strange states. We wonder if someone has stumbled upon this problem 
previously or know what might cause this strange behavior.


Best Regards,
Oskar and Linus


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!