Snort mailing list archives
Which options determine which packets are matched?
From: Sweth Chandramouli <snort-users () astaroth sweth net>
Date: Wed, 20 Jun 2001 12:36:39 -0400
I'm building a system that needs to be able to keep track of different versions of snort filters. Some of the filters that I'm going to be cataloguing don't have any easy way to index them, so I've finally come to terms with the fact that I need to build up a hashed index of the various fields in the rule, and decide whether or not one rule is "identical" to a previous rule based on how closely those fields match. The fields that I think determine what packets a given filter matches are, for 1.7-style rules: * ttl * tos * id * ipoption * fragbits * dsize * flags * seq * ack * itype * icode * icmp_id * icmp_seq * content * offset * depth * nocase * rpc . So, in theory, any pair of filters that are identical for those fields are "the same", even if other options like msg happen to be different. Does my list above look right? Am I missing anything on it? Is there anything on it that doesn't actually affect matching? Also, is there any documentation on the extensions that 1.8 adds to the options list? The only examples I can find of those extensions are classtype, sid, and rev, and I can't find any explanations of what they do (although I have my ideas). Thanks, Sweth. -- Sweth Chandramouli ; <svc () sweth net>
Attachment:
_bin
Description:
Current thread:
- Which options determine which packets are matched? Sweth Chandramouli (Jun 20)
- Re: Which options determine which packets are matched? Sweth Chandramouli (Jun 20)