Snort mailing list archives
Re: PCRE and cross packet matching
From: Jason Haar <Jason_Haar () trimble com>
Date: Mon, 06 Aug 2012 09:51:46 +1200
In a similar vein, "distance" only applies at the packet level: is there an equivalent keyword that applies at the stream level? ie every once in a while we get FPs on good rules due to the rule triggering on some mid-stream packet, when it is obvious the rule assumes it will only apply to the first packet. eg just last week our vulnerability scanner ran and triggered "SMTP vrfy root" as it is meant to do. That is configured to generate an alert email, *and that alert email triggered the same rule, even though it was a FP*!! By pure chance the content of the alert email happened to put "vrfy" followed by " root" at the beginning of a mid-stream packet The rule is alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; distance:0; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:3000004; rev:7;) The "distance:0" is the problem: the *intent* of the rule is to match against the first chars in a TCP stream, whereas it's hitting the first chars in any packet of an existing stream. So is there a better way of doing that? BTW, if there are no "stream-based" equivalent to such keywords due to resource/complexity issues, how about creating keywords explicitly for the first packet of a stream - that is probably 99% of the problem area? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PCRE and cross packet matching vpiserchia () gmail com (Aug 03)
- Re: PCRE and cross packet matching Patrick Mullen (Aug 03)
- Re: PCRE and cross packet matching Tony Robinson (Aug 03)
- Re: PCRE and cross packet matching Marcos Rodriguez (Aug 03)
- Re: PCRE and cross packet matching Jason Haar (Aug 05)
- Re: PCRE and cross packet matching Joel Esler (Aug 06)
- Re: PCRE and cross packet matching Joel Esler (Aug 06)
- Re: PCRE and cross packet matching vpiserchia () gmail com (Aug 06)