[Oisf-devel] SigParseTest05 test and DetectPortParse()

Yao-Min Chen Yaomin.Chen at Sun.COM
Tue Jan 26 09:06:14 UTC 2010

Just tracing through the unit test as it was giving errors [ERRCODE: 
SC_INVALID_ARGUMENT(12)] - PortParse error "1024:65536"

 sig = SigInit(de_ctx, "alert tcp 1024:65536 -> ! any 
(msg:\"SigParseTest05\"; sid:1;)");

Given the port range error (65536 is greater than the max port number 
65535), I am curious why SigInit still returned non-null and the unit 
test passed. The return codes of DetectPortParse() and 
DetectPortParseDo() were not checked.  I wonder whether the behavior 
should be 1) checking the return code, and 2) halting further parsing of 
the signature.


More information about the Oisf-devel mailing list