Snort mailing list archives
Re: PCRE and cross packet matching
From: Marcos Rodriguez <marcos.e.rodriguez () gmail com>
Date: Fri, 3 Aug 2012 12:11:15 -0400
On Fri, Aug 3, 2012 at 11:58 AM, Tony Robinson <trobinson () sourcefire com>wrote:
Just to further explain Patrick's message, While it isn't explicitly spelled out, Patrick is more or less referring to frag3 and stream 5. If you utilize ip defragmentation, and stream reassembly, we have an entire TCP stream that the rule can work against. If frag3/s5 are not being used to defragment/reassemble packets and TCP segments, you will only have individual packets to work with. A good, general rule of thumb for using PCRE in this instance is to have some sort of a content match prior to using PCRE so snort knows where in the packet or stream to use the PCRE engine to shred through the data from that point onward, so you don't run into the problem of snort giving up on a PCRE match. hope this helps, -Tony On Fri, Aug 3, 2012 at 9:53 AM, vpiserchia () gmail com <vpiserchia () gmail comwrote:Hello Snort Gurus I have the following question for you: does snort pcre signatures match cross-packets content? I googled a bit and no other answers found about this topic, sry if aI missed any regards vito piserchia ------------------------------------------------------------------------------Tony Robinson Security Consultant I SourceFIRE Professional Services Division
Hi Guys, That's a great write up, and I vote for its inclusion into the Snort manual under PCRE. marcos
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PCRE and cross packet matching vpiserchia () gmail com (Aug 03)
- Re: PCRE and cross packet matching Patrick Mullen (Aug 03)
- Re: PCRE and cross packet matching Tony Robinson (Aug 03)
- Re: PCRE and cross packet matching Marcos Rodriguez (Aug 03)
- Re: PCRE and cross packet matching Jason Haar (Aug 05)
- Re: PCRE and cross packet matching Joel Esler (Aug 06)
- Re: PCRE and cross packet matching Joel Esler (Aug 06)
- Re: PCRE and cross packet matching vpiserchia () gmail com (Aug 06)