Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Regular Expression Matching in Snort Rules

From: Mitesh Jadia <mitesh.jadia () gmail com>
Date: Fri, 17 Oct 2014 11:34:27 +0530
Different search methods are available in snort.

AC* methods will build DFA for all contents written in signature (largest
content based on length will be taken for each signature).
Now to match all eligible signatures on a packet. Packet data buffer
(p->data) will be given to DFA and if DFA find any of the content registerd
with it then it calls corresponding signature evaluator function.

So, with this technique we can reduce the processing time by not calling
signature evaluator function for signature which is not gonna match for
this packet.


Suppose you have two signatures like.

alert tcp any any -> any any ( sid:...; msg:"...";   content:"abc";
pcre:"/^[0-9A-F]{32,48}/i);
alert tcp any any -> any any ( sid:...; msg:"...";   content:"def";
pcre:"/^[0-9A-F]{32,48}/i);

and you packet content looks like

abcxxxxxxxxxx

Now when packet data buffer is sent to DFA, DFA will call sig-eval function
for signature 1 only.
In sig-eval function after matching content 'abc' pcre evaluation will take
place.

Ultimately there is no DFA build for pcre or regex in snort.


you can refer detection-plugins/sp_pcre.c file. It functionality is to
parse pcre data from signature and compile it at snort-init time. And
evaluation function of pcre will match pcre on data buffer using *SnortPcre
*function which is using pcre_exec (pcre library function).


If you are using only pcre and there is no content written in signature
then this signature will be no-content signature. It will be executed for
each packet after having port_group confirmed.


--Mitesh


On Thu, Oct 16, 2014 at 11:22 PM, Venkataramesh Bontupalli <
bontupalliv1 () udayton edu> wrote:


Could you enlighten me on how does SNORT perform the Regular Expression
Matching ??

Thanks and Regards,
VenkataRamesh

On Thu, Oct 16, 2014 at 12:44 PM, Mitesh Jadia <mitesh.jadia () gmail com>
wrote:


As per my knowledge state machine is no build for pcre. It is only
generated for contents.

That is why best practice to write a signature is first try to match a
content and after that write pcre keyword.

-- Mitesh


*** This message has been sent using E3 Mobile ***


Venkataramesh Bontupalli <bontupalliv1 () udayton edu> wrote:

Dear Snort-Users,

I am trying to understand how does snort perform the regular expression
matching i.e the PCRE option in the snort rules.

However, through the literature study I understood that Snort generates a
Finite State Machine (FSM) during the compilation.

Could any one let me know what kind of FSM it generated?
Is it Deterministic Finite Automata (DFA) or Non Deterministic Finite
Automata (NFA) ?

Any help is highly appreciated.

Thanks and Regards,
VenkataRamesh





------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: