Re: Snort searching algorithm

[Venkataramesh Bontupalli <bontupalliv1 () udayton edu>]

Thank you Y M,

I am trying to analyse the strength of SNORT searching algorithm so after
my initial study and replies from SNORT experts, I think

please correct me if I am wrong

SNORT architecture is primarily divided into 5 modules
1. *Sniffer *--- Captures the network packets from NIC card
2. *Decoder *--- Extracts the essential contents of the packets like IP
address,protocols, payload details etc
3. *Preprocessor *---  Does the decryption and defragmentation of packets
into a whole packet and also does initial rule matching (this is reason why
we still see some alerts even though we comment all rules in snort.conf)
4. *Detection Engine* -- Compares the pre-processed packet details against
user defined snort rules using boyer-moore's or aho corasick search
algorithm
5. Alert modules --- Alerts the match results

I wrote a simple snort rule so it fires if facebook is opened by matching
the content to incoming packets

*alert tcp any any -> $HOME_NET any (content:"www.facebook.com
<http://www.facebook.com>"; msg:"facebook opened"; sid:2000004;)  *

I ran wireshark and snort to the same situation and couldn't find the
content "facebook" in wireshark display. Snort somehow combines the packets
, decrypts and then ran the rule against it to generate the alert.

so is there any possibility to see that pre-processed output ?

sorry for the big email


Thanks and Regards,
VenkataRamesh


On Tue, May 13, 2014 at 12:43 AM, Y M <snort () outlook com> wrote:

> P.S.: Please reply to the entire list so everyone can benefit/participate,
> and not only to the person who replied to your request.
>
> If I am understanding your request right, then there are several
> preprocessors through which the packet stream passes through before it hits
> the detection engine (I guess?, logically speaking). For example, packet
> decoders and the reputation preprocessor get to process packets before the
> detection engine. However, these preprocessors also have rules (text or SO
> rules) and will log certain traffic anomalies (rules) or when a blacklisted
> IP is matched by the reputation preprocessor, respectively. My
> understanding is that these preprocessors will output directly to the
> output plugin, as opposed to "consulting" with the detection engine before
> the actual output is made.
>
> YM
>
> ------------------------------
> Date: Mon, 12 May 2014 18:48:42 -0400
> Subject: RE: [Snort-users] Snort searching algorithm
> From: bontupalliv1 () udayton edu
> To: snort () outlook com
>
>
> Thanks for the reply...
> Is there a possibility to log the preprocessor data before it hits the
> detection engine..
> If so what can be the code/conf changes
> On May 9, 2014 4:25 PM, "Y M" <snort () outlook com> wrote:
>
> From the documentation:
> http://manual.snort.org/node16.html#SECTION00313000000000000000. Look
> for "config detection: [search-method <method>]", this should help.
>
> YM
>
> ------------------------------
> Date: Fri, 9 May 2014 14:32:27 -0400
> From: bontupalliv1 () udayton edu
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort searching algorithm
>
> Dear snort users,
> Could anyone please tell me what pattern matching algorithm(s) snort use
> in detection engine for detecting malicious packet content against its
> rules content.
>
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find
> out: • 3 signs your SCM is hindering your productivity • Requirements for
> releasing software faster • Expert tips and advice for migrating your SCM
> now http://p.sf.net/sfu/perforce
> _______________________________________________ Snort-users mailing list
> Snort-users () lists sourceforge net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!