[Snort-devel] An important multi-content rule related question

From: Prabhat Singh <prabhats(at)rediffmail.com>
Date: Sun Mar 28 2004 - 08:16:23 EST

Hi, I have a question about multi-content rule processing. Let me try to explain my question a little bit more. Assume, one signature S1 has 3 patterns (content) P1, P2, P3. Now, typically, these pattern shall match, in definite sequence, in a single packet. So, the pattern match sequence can be P1, P2, P3, before we can finally declare a match. My question is with Multi-content signatures, "within" and "distance" constraints may also be associated with them . So, if the patterns (P1, P2, P3) are scattered across various packets, how does SNORT keeps track of all these things (checking "within" "distance" constriants). secondly, is there any possibility that following kind of occurance can occur in a packet or multiple packets: P1, P1, P1, P1, P2, P2, P2, P3 In the above mentioned case, P1, P2, and P3 can still be matched and they can satisfy the "within" and "distance" constriants. So, how do SNORT handles this case. Or this type of case can never happen in real world. Considering the given scenario, what will be the algorithm to detect the exact match. Thanks, -PRabhat

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sun Mar 28 08:23:31 2004