Snort mailing list archives
Re: question about paf
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 18 Dec 2014 22:13:12 +0000
________________________________ From: hyunseok.chang () gmail com [hyunseok.chang () gmail com] on behalf of Hyunseok [hyunseok () ieee org] Sent: Thursday, December 18, 2014 4:16 PM To: Russ Combs (rucombs) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] question about paf Thanks for your reply and clarification. On Thu, Dec 18, 2014 at 11:35 AM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote: ________________________________ * There are ways to deal with the limits though. If a PDU must be split, Snort shifts the split point by a random amount to make it less predictable. Also, the issue you bring up could be handled by setting a flow bit on an earlier PDU or PDU part and checking that when detecting a later PDU or PDU part. Also, preprocessors check for any conditions that must be detected before the PDU is assembled. As you said, flowbits could be one way to correlate detections across blocks. But I'm still not sure whether that's a real solution. Might be a contrived example, but say there is a known attack string of 48K length in http payload. Then with 16K max-paf, the attack string will split over upto 4 consecutive PDU blocks. Maybe I am not an expert snort rule writer, but it's doesn't seem trivial or possible to write detection rules to match such consecutive blocks that hold a long string using flowbits. * If you really mean a contiguous 48K data sequence then it sounds more like a file and could be processed using those methods. For processing a flow in real time, the signature is typically comprised of a sequence of checks on much smaller strings for which flowbits are well suited. -HS
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)
- Re: question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)
- Re: question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)