Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 04 > 031005.html (Request Expert snort.org Support)

RE: [Snort-devel] port (and ip?) lists

From: Milani Paolo <Paolo.Milani(at)TILAB.COM>
Date: Thu Mar 25 2004 - 07:59:07 EST

Hi,

Since you say you havn't really looked inside snort since version 1.6, I thought you might be unaware of the changes in the architecture that came in with version 2.0 (with a BIG speed increase!!). You can read the whitepapers/techdocs on the sourcefire site ("Snort 2.0 rule optimizer" and "snort 2.0 Hi-performance multi-rule inspection engine"). To put it (very) synthetically, snort rules are inserted into groups based on the port number (let's say the server side port for the sake of a simple explanation) in such a way that each packet need only be evaluated against a single rule group. Each rule group is then preprocessed to make use of multi-pattern matching algorithms that make contents matching very fast. So when a packet arrives a port group is selected (using an array of 64K pointers to directly access the port group) and then the packet gets tested against that group.

This does not by any means imply that your suggestion isn't valid, but implementation is completely different, because it has impact on the way port groups are constructed: which unique port groups are created and which rules get inserted in which port groups.

ciao,
Paolo Milani

From: "cec@ee.duke.edu" <cec@ee.duke.edu> To: snort-devel@lists.sourceforge.net
Date: Wed, 24 Mar 2004 15:02:51 -0500
Subject: [Snort-devel] port (and ip?) lists

Hi Folks,

It's been a while since I've done much in the way of snort hacking. After I took the IT Security Officer position for Duke, it was a matter of a severe lack of time. Anyway, I recently decided that for my own sanity I needed to get back involved in something that was programming oriented. So, I started thinking about Snort (which we use here extensively) and one of the first things that seemed like it still needed doing was the ability to add arbitrary port and ip lists.

Do you need help?X

My original intention was to allow for the OR-ing of ports along with the spurious NOT. But as I started thinking about this, I realized that something even more generic was called for. For example, I may want to specify all privileged ports (1:1024), except for the windows ports (135-139, 445, 593). So we might want to write a port list like the following:

1:1024 & !(135:139 | 445 | 593)

So, it turns out that this isn't so bad. I've got code now that will take the above and turn it into a postfix notation:

1:1024 135:139 445 | 593 | ! &

I've also got 3 different routines (and can envision a 4th) that will evaluate the postfix expression against a given port. Each routine has a different performance/memory trade-off. The 4 methods I've thought about for evaluation are:

  • carry around a text string which is the postfix notation and then parse and evaluate the string for each port (real cheap from the memory standpoint, kind of a dog for evaluation)
  • pre-convert the string to a token list stored in an Nx3 array of shorts (some memory usage, but twice as fast)
  • do a one-time conversion to an array of unsigned chars - one entry for each port (size is 65536 entries or 64k). This is screaming fast, but takes 64k per port list
  • [not-implemented] do a one-time conversion to an array of unsigned chars where each entry in the table stores 8 ports worth of data. This is almost as fast as above, but w/ 1/8 the memory requirements (8k per port).

The above code for port lists can be easily converted to apply to IP lists, and the first two evaluation methods would be applicable.

So, before I go any further, I wanted to get the opinion of those who have developed later than 1.6.x (the last version I played with).

Questions:

  • is this of any interest for snort?
  • if so, what's the best way to make use of it? i can still compute a port range for each expression, so sorting by low port is still feasible. i can also compute the number of ports expressed in a given notation, so the breakdowns in the multi-rule content matching should also be feasible
  • what is y'all's take on where we should be in the performance/memory trade-off space.
  • general thoughts?
Do you need more help?X

Thanks,
Chris 

-- 
Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  email: chris.cramer@duke.edu





--__--__--

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel


End of Snort-devel Digest






====================================================================
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin@tilab.com. Thank you
====================================================================


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id70&alloc_id638&opick
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Received on Thu Mar 25 08:19:26 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library