Snort mailing list archives
RE: How does snort do packet signature detection?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 02 Oct 2003 20:40:50 -0400
At 02:07 PM 10/2/2003, Hernan Bugallo wrote:
Is snort smart enough to search only an http attack signature inside the http packets or it checks it with other types of packets ? and maybe, be more granular, to inspect yust a few signatures related on the state of the conection and prótocol of each packet ??
That depends on how the particular rule is written.Generally HTTP attack signatures are written is such a way to only match http sessions. But this is strictly based on how the rule writer for a given signature chooses to write it. Snort itself is just a search engine of sorts, and provides an extremely powerful and complex array of options that a signature writer can use. It's not perfect, but it sure as heck does a lot of pre-processing for the rules. As I said before in this thread, it understands pretty much all the fields of ip, tcp, udp and icmp headers, and it understands tcp connection states. Snort is also aware of URI portions of http packets, and can have rules that only look for a pattern in a URI.
Thanks to the http_decode preprocessor, it's also aware of escape sequences and the like, and will normalize http requests before running the rules against them. This prevents an attacker from avoiding a http attack signature by merely using QP encoding for a few characters of the attack.. (ie: escaping a few characters in command.exe won't stop snort from realizing that the http request contains the string command.exe and is likely an attack against an IIS server).
I'd really suggest that you read the manual that discusses what options rules have available to them. This will describe what kinds of things snort is capable of in by far greater detail than any person on the list can.
http://www.snort.org/docs/writing_rules/You might also consider reading some of the Development papers in the docs section of the website. These were written by some of the authors of snort, and may go into great detail discussing methods of analysis used by snort.
http://www.snort.org/docs/#devel ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How does snort do packet signature detection? Chhabria, Kavita - Apogent (Oct 02)
- Message not available
- Re: How does snort do packet signature detection? Matt Kettler (Oct 02)
- RE: How does snort do packet signature detection? Hernan Bugallo (Oct 04)
- RE: How does snort do packet signature detection? Matt Kettler (Oct 02)
- Re: How does snort do packet signature detection? Matt Kettler (Oct 02)
- Message not available
- Re: How does snort do packet signature detection? james (Oct 02)