Snort mailing list archives
Re: Which options determine which packets are matched?
From: Sweth Chandramouli <snort-users () astaroth sweth net>
Date: Wed, 20 Jun 2001 15:16:17 -0400
On Wed, Jun 20, 2001 at 12:36:39PM -0400, Sweth Chandramouli wrote:
. So, in theory, any pair of filters that are identical for those fields are "the same", even if other options like msg happen to be different.
And, of course, the non-action portions of their respective rules headers. That brings up another question, with regards to variable interpolation. The arachNIDS and snort.org rules, to cite one example, use different variable names for the same thing; the former might use $EXTERNAL any -> $INTERNAL 23 while the latter would use $EXTERNAL_NET any -> $HOME_NET 23 . The system I'm building is for postprocessing of alert messages, so it has no way of knowing how the original variables were expanded (that is, it doesn't have access to the original conf files); it just has a list of the rules that are out there in use. I know it isn't an algorithmically perfect solution, but I was thinking of just saying that a given token in the rules headers matches if the text matches, or if the text in both tokens are variables with any names. Is that too lenient a criterion? (I know that for the arachNIDS/snort.org case, I can usually determine matching via the references options, but that doesn't apply for all of the rules I'm dealing with.) -- Sweth. -- Sweth Chandramouli ; <svc () sweth net>
Attachment:
_bin
Description:
Current thread:
- Which options determine which packets are matched? Sweth Chandramouli (Jun 20)
- Re: Which options determine which packets are matched? Sweth Chandramouli (Jun 20)