Honeypots mailing list archives

Re: Anyone know how to use the content:! rule and replace in snort_inline?

From: "John Smith" <genericjohnsmith () gmail com>
Date: Mon, 24 Apr 2006 23:07:10 +0000

On 4/24/06, Sushant Sinha <sushant () umich edu> wrote:

The last time I was working on Snort code I found that it does not handle
rules that have content match all negations. This is  because  it is
very costly
 to perform multi-pattern search with all negations. I would suggest
that add atleast one
content match (not the negation) to the rule.


(this is just a hypothetical argument about how snort_inline could be
more flexible...) Wouldn't it be *easy* for snort to just look for the
pattern, and then when it fails to find it just write however many
bytes you asked to replace to the beginning of the payload, subject to
the other contraints like depth, offset and so forth? You don't have
to search for all negations, or even replace all negations. If it
behaved like this, then you basically could arbitrarily overwrite the
payload in the absence of a match (i.e. you just set up the
constraints to only have a certain chunk as valid for writing and then
you try to match something you know won't be in the packet.)

John

Current thread:

Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)
  - Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Sushant Sinha (Apr 24)
  - Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)