Snort mailing list archives
Rule checking logic ("checking" as defined by rule profile stats) question
From: Mike Cox <mike.cox52 () gmail com>
Date: Tue, 8 Jan 2013 14:41:40 -0600
I created two rules that were identical except one used the http_header keyword modifier in all its content matches (along with the 'H' flag in the PCRE) and the other doesn't have the content modifiers or 'H' in the PCRE. However, when testing these rules on a small and crafted pcap, and looking at the Rule Profile Stats, the one that doesn't use http_* content modifier always has exactly twice the number of "Checks" than the one that does. According to the Snort manual, "Checks (number of times rule was evaluated after fast pattern match within portgroup or any->any rules)". Based on the pcap and the port and direction the rules are looking for, there is just one packet that will be inspected after the fast pattern match (actually fast_pattern is specifically set in the rule too but for the same content in both). I know someone (*cough* Joel) will ask for pcaps and rules but I can't provide them. However, I was thinking that someone who knew more about the internal engine logic could enlighten me as to why this is. Thanks. -Mike Cox ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule checking logic ("checking" as defined by rule profile stats) question Mike Cox (Jan 08)
- Message not available
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Steven Sturges (Jan 09)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Mike Cox (Jan 09)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Mike Cox (Jan 10)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Steven Sturges (Jan 13)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Steven Sturges (Jan 09)
- Message not available