Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9.7.0 Alpha is now available

From: Joshua Kinard <kumba () gentoo org>
Date: Wed, 26 Feb 2014 18:28:51 -0500
On 02/25/2014 10:05 AM, Snort Releases wrote:

Snort 2.9.7 Alpha is now available on snort.org, at 
http://www.snort.org/snort-downloads/  in the Development section.


[snip]

* A new protected_content rule option that is used to match against a 
content that is hashed.  It can be used to obscure the full context of
the rule from the administrator.


This is kinda neat, but, wouldn't it make more sense to call it
"hashed_content" instead of "protected_content"?  After all, MD5 can be
collided, so there's potential for the indicator string to be recoverable,
in very limited circumstances.  E.g., I took both the MD5 and SHA256
examples from the manual and plugged them into crackstation.net, and got
back "HTTP" for both.  That won't work in all cases, but it demonstrates
that a basic, unsalted hash isn't a whole lot of "protection".

Also, any alerts generated by a rule using protected_content would contain
the original indicator in the captured packet, and one could simply read the
rule text (offset, and the new length parameter) to locate it in that packet.

Last, how does protected_content work with the fast-pattern matcher?  I see
that you cannot use the 'fast_pattern' keyword with it, so what string is it
inserting?  Is it using the hash and comparing that against a hash of the
specified data pulled from the packet's payload?

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: