Re: Which options determine which packets are matched?

[Sweth Chandramouli <snort-users () astaroth sweth net>]

On Wed, Jun 20, 2001 at 12:36:39PM -0400, Sweth Chandramouli wrote:
>       .  So, in theory, any pair of filters that are identical
> for those fields are "the same", even if other options like msg happen
> to be different.

        And, of course, the non-action portions of their respective
rules headers.  That brings up another question, with regards to variable
interpolation.  The arachNIDS and snort.org rules, to cite one example,
use different variable names for the same thing; the former might use

$EXTERNAL any -> $INTERNAL 23

        while the latter would use

$EXTERNAL_NET any -> $HOME_NET 23

        .  The system I'm building is for postprocessing of alert
messages, so it has no way of knowing how the original variables were
expanded (that is, it doesn't have access to the original conf files); it
just has a list of the rules that are out there in use.  I know it isn't
an algorithmically perfect solution, but I was thinking of just saying 
that a given token in the rules headers matches if the text matches, or
if the text in both tokens are variables with any names.  Is that too
lenient a criterion?
        (I know that for the arachNIDS/snort.org case, I can 
usually determine matching via the references options, but that doesn't
apply for all of the rules I'm dealing with.)

        -- Sweth.

-- 
Sweth Chandramouli ; <svc () sweth net>

Attachment: _bin
Description: