Re: question about paf

[Hyunseok <hyunseok () ieee org>]

Thanks for your reply and clarification.

On Thu, Dec 18, 2014 at 11:35 AM, Russ Combs (rucombs) <rucombs () cisco com>
wrote:
>  ------------------------------
>
> * There are ways to deal with the limits though.  If a PDU must be split,
> Snort shifts the split point by a random amount to make it less
> predictable.  Also, the issue you bring up could be handled by setting a
> flow bit on an earlier PDU or PDU part and checking that when detecting a
> later PDU or PDU part.  Also, preprocessors check for any conditions that
> must be detected before the PDU is assembled.

As you said, flowbits could be one way to correlate detections across
blocks.  But I'm still not sure whether that's a real solution.  Might be a
contrived example, but say there is a known attack string of 48K length in
http payload.  Then with 16K max-paf, the attack string will split over
upto 4 consecutive PDU blocks.  Maybe I am not an expert snort rule writer,
but it's doesn't seem trivial or possible to write detection rules to match
such consecutive blocks that hold a long string using flowbits.

-HS

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!