Snort mailing list archives

Re: PCRE and cross packet matching

From: "vpiserchia () gmail com" <vpiserchia () gmail com>
Date: Mon, 06 Aug 2012 13:34:48 +0200

Hello Patrick, Tony

Thank you for your exhaustive answers.

Before all I have to say that the first experiments were made with the
PFRING DAQ
module and I can confirm that in this case the PCRE signature is not
able to match a cross packet content.

The way I launched snort is like this:

snort --pid-path /root/snort/ -D \
        -c /etc/snort/snort.conf -i eth1,eth2 \
        -l /root/snort/ -A fast \
        --daq-dir /opt/daq/lib/daq --daq pfring --daq-mode passive


Today I made more tests and changed a bit the setup of my experiments,
that is now I use the "standard" PCAP DAQ module
in this way:

snort --pid-path /root/snort/ -D \
        -c /etc/snort/snort.conf -i eth1,eth2 \
        -l /root/snort/ -A fast \
        --daq-dir /opt/daq/lib/daq --daq pcap --daq-mode passive


with this setup the PCRE signature now works well and alert as expected

So my new question for the list is:
has anyone already experienced this behaviour with the pfring daq module
and pcre signatures?

best regards
vito



On 08/03/2012 05:58 PM, Tony Robinson wrote:

Just to further explain Patrick's message,

While it isn't explicitly spelled out, Patrick is more or less
referring to frag3 and stream 5. If you utilize ip defragmentation,
and stream reassembly, we have an entire TCP stream that the rule can
work against. If frag3/s5 are not being used to defragment/reassemble
packets and TCP segments, you will only have individual packets to
work with.

A good, general rule of thumb for using PCRE in this instance is to
have some sort of a content match prior to using PCRE so snort knows
where in the packet or stream to use the PCRE engine to shred through
the data from that point onward, so you don't run into the problem of
snort giving up on a PCRE match.

hope this helps,

-Tony

On Fri, Aug 3, 2012 at 9:53 AM, vpiserchia () gmail com
<mailto:vpiserchia () gmail com> <vpiserchia () gmail com
<mailto:vpiserchia () gmail com>> wrote:

    Hello Snort Gurus

    I have the following question for you:

    does snort pcre signatures match cross-packets content?

    I googled a bit and no other answers found about this topic, sry if aI
    missed any

    regards
    vito piserchia



    ------------------------------------------------------------------------------
    Live Security Virtual Conference
    Exclusive live event will cover all the ways today's security and
    threat landscape has changed and how IT managers can respond.
    Discussions
    will include endpoint security, mobile security and the latest in
    malware
    threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users

    Please visit http://blog.snort.org to stay current on all the
    latest Snort news!




-- 

Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

PCRE and cross packet matching vpiserchia () gmail com (Aug 03)
- Re: PCRE and cross packet matching Patrick Mullen (Aug 03)
- Re: PCRE and cross packet matching Tony Robinson (Aug 03)
  - Re: PCRE and cross packet matching Marcos Rodriguez (Aug 03)
  - Re: PCRE and cross packet matching Jason Haar (Aug 05)
    - Re: PCRE and cross packet matching Joel Esler (Aug 06)
    - Re: PCRE and cross packet matching Joel Esler (Aug 06)
  - Re: PCRE and cross packet matching vpiserchia () gmail com (Aug 06)