[Snort-devel] port (and ip?) lists

Hi Folks,

It's been a while since I've done much in the way of snort hacking. After I took the IT Security Officer position for Duke, it was a matter of a severe lack of time. Anyway, I recently decided that for my own sanity I needed to get back involved in something that was programming oriented. So, I started thinking about Snort (which we use here extensively) and one of the first things that seemed like it still needed doing was the ability to add arbitrary port and ip lists.

My original intention was to allow for the OR-ing of ports along with the spurious NOT. But as I started thinking about this, I realized that something even more generic was called for. For example, I may want to specify all privileged ports (1:1024), except for the windows ports (135-139, 445, 593). So we might want to write a port list like the following:

1:1024 & !(135:139 | 445 | 593)

So, it turns out that this isn't so bad. I've got code now that will take the above and turn it into a postfix notation:

1:1024 135:139 445 | 593 | ! &

I've also got 3 different routines (and can envision a 4th) that will evaluate the postfix expression against a given port. Each routine has a different performance/memory trade-off. The 4 methods I've thought about for evaluation are:

• carry around a text string which is the postfix notation and then parse and evaluate the string for each port (real cheap from the memory standpoint, kind of a dog for evaluation)
• pre-convert the string to a token list stored in an Nx3 array of shorts (some memory usage, but twice as fast)
• do a one-time conversion to an array of unsigned chars - one entry for each port (size is 65536 entries or 64k). This is screaming fast, but takes 64k per port list
• [not-implemented] do a one-time conversion to an array of unsigned chars where each entry in the table stores 8 ports worth of data. This is almost as fast as above, but w/ 1/8 the memory requirements (8k per port).

The above code for port lists can be easily converted to apply to IP lists, and the first two evaluation methods would be applicable.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

So, before I go any further, I wanted to get the opinion of those who have developed later than 1.6.x (the last version I played with).

Questions:

• is this of any interest for snort?
• if so, what's the best way to make use of it? i can still compute a port range for each expression, so sorting by low port is still feasible. i can also compute the number of ports expressed in a given notation, so the breakdowns in the multi-rule content matching should also be feasible
• what is y'all's take on where we should be in the performance/memory trade-off space.
• general thoughts?

Thanks,
Chris

-- 
Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  email: chris.cramer@duke.edu




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel