Snort mailing list archives
Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question
From: Mike Cox <mike.cox52 () gmail com>
Date: Wed, 9 Jan 2013 14:30:26 -0600
Thanks for the response Steve. PAF is on but not configured in the conf so I'm guessing it is the default. From Snort's startup output: Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16384 Hmmm, turning off PAF causes the numbers to line up (e.g. doubles the checks for the rule(s) using http_*). Is reassembly a cause of the discrepancy with PAF turned on? The packets I'm using have POST data but are small enough that they shouldn't be fragmented using a reasonable MTU.... Thanks. -Mike Cox On Wed, Jan 9, 2013 at 1:01 PM, Steven Sturges <ssturges () sourcefire com> wrote:
Hi Mike-- Not sure what version of Snort you were using... :) With Snort 2.9.4, I ran a few tests taking the rule examples you mention and using a single content w/ and w/out http_header. While I didn't reproduce the 'exactly double' count you saw, I got similar results. Here are the details of the tests I ran. My two rules: alert tcp any any -> any 80 (msg:"Test 1"; content:"index.html"; http_uri; sid:1111;) alert tcp any any -> any 80 (msg:"Test 1"; content:"index.html"; sid:2222;) These tests are just using a basic snort.conf & related w/ paf_max set to 0. 1) simple get (eg, wget http://localhost/index.html) With that pcap, I get 2 checks for each of the 2 rules (once on the raw packet, once on the reassembled packet). That makes sense. 2) A more complex get of that same page, with subsequent gets for images & other stuff from said page. That requests have HTTP Headers, and I see 3 checks for 2222 & 2 checks for 1111 -- the one without the HTTP modifier is checked an extra time. In order, I see it processing as follows: Packet A (raw GET) --> pattern match on URI Buffer (hits 1111) --> pattern match on raw packet data (hits 2222) Packet B (reassembled) --> pattern match on URI Buffer (hits 1111) --> pattern match on raw packet data (hits 2222) --> pattern match on raw packet data (hits 2222) The second one that is checking the raw packet data and hits 2222 is from the 2nd of a pipelined request extracted from the stream reassembled packet -- the raw packet data there is the same. When I set paf_max to 16384, I get 2 checks on 2222 (raw + reassembled) and 1 check on 1111 (reassembled). So, the question comes down to what is your paf_max setting in snort.conf? Cheers. -steve On 1/8/13, 3:41 PM Mike Cox wrote:I created two rules that were identical except one used the http_header keyword modifier in all its content matches (along with the 'H' flag in the PCRE) and the other doesn't have the content modifiers or 'H' in the PCRE. However, when testing these rules on a small and crafted pcap, and looking at the Rule Profile Stats, the one that doesn't use http_* content modifier always has exactly twice the number of "Checks" than the one that does. According to the Snort manual, "Checks (number of times rule was evaluated after fast pattern match within portgroup or any->any rules)". Based on the pcap and the port and direction the rules are looking for, there is just one packet that will be inspected after the fast pattern match (actually fast_pattern is specifically set in the rule too but for the same content in both). I know someone (*cough* Joel) will ask for pcaps and rules but I can't provide them. However, I was thinking that someone who knew more about the internal engine logic could enlighten me as to why this is. Thanks. -Mike Cox------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule checking logic ("checking" as defined by rule profile stats) question Mike Cox (Jan 08)
- Message not available
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Steven Sturges (Jan 09)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Mike Cox (Jan 09)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Mike Cox (Jan 10)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Steven Sturges (Jan 13)
- Re: Fwd: Rule checking logic ("checking" as defined by rule profile stats) question Steven Sturges (Jan 09)
- Message not available