Pattern Matching

[Rayne <hjazz6 () ymail com>]

Hi all,

I have a few questions regarding the pattern matching aspect of Snort.

1) If I have the following rule option (content:"ABC", content:"DEFGH"), am I right to say that the string "DEFGH" will 
be compared first to see if there is a match, and if there is, then "ABC" is compared, because "DEFGH" is the longer 
string?

2) Is it possible to have one rule activate another rule within the same packet, i.e. when a content match with "AB" is 
found, it will trigger another rule that consists of a content match with a longer string, e.g. "CDEFG". This would be 
something similar to activate/dynamic, except from what I understand, dynamic only logs a certain number of subsequent 
packets that match the first rule after being activated, which is not exactly what I want to do. If this is possible, 
does the second content match start from the beginning of the payload, or from where "AB" was matched?

3) Say I have 5 rules each with one content match. All the rule headers are the same, i.e. the 5 OTNs are under the 
same RTN, and they contain only the content match. Using the AC search method, does Snort build just one DFA that 
contains all 5 strings so each packet can be searched through only once for all 5 strings at a time, or is a DFA built 
for every OTN/string, resulting in searching through each packet 5 times? What if one of the rules has 3 content 
matches while the other 4 has only one content match each. How is the DFA built then?

4) Does the pattern matching algorithm return the position within the payload where the pattern is found? For example, 
if I'm matching for the string "GET" and the payload is "kas sdfGETjkdn", will I get something like "Pattern "GET" 
matched at position 8"? Also, in acsmx.c, it is mentioned that the AC algorithm "finds all occurrences of all patterns 
within a body of text". If there are, say, 5 occurences of a pattern string, do I get one alert/log per occurence, one 
alert/log per pattern matched (if there are multiple content strings in the rule option) or one alert/log per rule 
(regardless of the number of content strings in the rule option)?

5) How long does Snort hold fragments for reassembly in Frag3 and Stream5 before discarding the packets if they are 
incomplete?

Thank you.

Regards,
Rayne



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users