Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCRE and cross packet matching

From: Jason Haar <Jason_Haar () trimble com>
Date: Mon, 06 Aug 2012 09:51:46 +1200
In a similar vein, "distance" only applies at the packet level: is there
an equivalent keyword that applies at the stream level?

ie every once in a while we get FPs on good rules due to the rule
triggering on some mid-stream packet, when it is obvious the rule
assumes it will only apply to the first packet. eg just last week our
vulnerability scanner ran and triggered "SMTP vrfy root" as it is meant
to do. That is configured to generate an alert email, *and that alert
email triggered the same rule, even though it was a FP*!! By pure chance
the content of the alert email happened to put "vrfy" followed by "
root" at the beginning of a mid-stream packet

The rule is

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root";
flow:to_server,established; content:"vrfy"; nocase; distance:0;
content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi";
classtype:attempted-recon; sid:3000004; rev:7;)


The "distance:0" is the problem: the *intent* of the rule is to match
against the first chars in a TCP stream, whereas it's hitting the first
chars in any packet of an existing stream. So is there a better way of
doing that?

BTW, if there are no "stream-based" equivalent to such keywords due to
resource/complexity issues, how about creating keywords explicitly for
the first packet of a stream - that is probably 99% of the problem area?

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: