Snort mailing list archives
Re: PCRE and cross packet matching
From: Patrick Mullen <pmullen () sourcefire com>
Date: Fri, 3 Aug 2012 11:43:40 -0400
Vito,
does snort pcre signatures match cross-packets content?
The answer isn't a simple yes or no, unfortunately. But thankfully, the answer isn't complicated, either. As packets come across the wire individually, you can think of them as completely separate documents. So no, you cannot match across multiple packets in this way much like you can't match in two different documents inside a normal regular expression. However, snort will (depending on your configuration) reassemble multiple packets into a "super packet" and feed that back through the system. The pcre could then match on the contents of multiple packets because it would see them all together as a single "document." There are still limitations, of course, largely based upon performance considerations. Namely, if the start of the pcre is at the beginning of the first packet and the ending of the match is 3000 bytes later in another packet, the pcre will probably not match because it'll be too slow and snort will give up in the interest of not dropping packets. Also, you would have to make sure that the relevant packets were assembled together and that the stream reassembler is running on that port. Is this a general question, or do you have a particular pcap and rule in mind that is not alerting for you? If you want to share your pcap and rule with me I'd be happy to take a look and let you know if it should alert or why it should not alert and if possible I can provide some alternative strategies to hopefully get the results you want. Thanks, ~Patrick -- Patrick Mullen Response Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PCRE and cross packet matching vpiserchia () gmail com (Aug 03)
- Re: PCRE and cross packet matching Patrick Mullen (Aug 03)
- Re: PCRE and cross packet matching Tony Robinson (Aug 03)
- Re: PCRE and cross packet matching Marcos Rodriguez (Aug 03)
- Re: PCRE and cross packet matching Jason Haar (Aug 05)
- Re: PCRE and cross packet matching Joel Esler (Aug 06)
- Re: PCRE and cross packet matching Joel Esler (Aug 06)
- Re: PCRE and cross packet matching vpiserchia () gmail com (Aug 06)