Snort mailing list archives

Re: PCRE and cross packet matching

From: Tony Robinson <trobinson () sourcefire com>
Date: Fri, 3 Aug 2012 11:58:24 -0400

Just to further explain Patrick's message,

While it isn't explicitly spelled out, Patrick is more or less referring to
frag3 and stream 5. If you utilize ip defragmentation, and stream
reassembly, we have an entire TCP stream that the rule can work against. If
frag3/s5 are not being used to defragment/reassemble packets and TCP
segments, you will only have individual packets to work with.

A good, general rule of thumb for using PCRE in this instance is to have
some sort of a content match prior to using PCRE so snort knows where in
the packet or stream to use the PCRE engine to shred through the data from
that point onward, so you don't run into the problem of snort giving up on
a PCRE match.

hope this helps,

-Tony

On Fri, Aug 3, 2012 at 9:53 AM, vpiserchia () gmail com
<vpiserchia () gmail com>wrote:

Hello Snort Gurus

I have the following question for you:

does snort pcre signatures match cross-packets content?

I googled a bit and no other answers found about this topic, sry if aI
missed any

regards
vito piserchia




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 

 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

PCRE and cross packet matching vpiserchia () gmail com (Aug 03)
- Re: PCRE and cross packet matching Patrick Mullen (Aug 03)
- Re: PCRE and cross packet matching Tony Robinson (Aug 03)
  - Re: PCRE and cross packet matching Marcos Rodriguez (Aug 03)
  - Re: PCRE and cross packet matching Jason Haar (Aug 05)
    - Re: PCRE and cross packet matching Joel Esler (Aug 06)
    - Re: PCRE and cross packet matching Joel Esler (Aug 06)
  - Re: PCRE and cross packet matching vpiserchia () gmail com (Aug 06)