[Discussion] Text in Msgs

Frank Knobbe frank at knobbe.us
Mon Oct 27 17:04:39 UTC 2008


On Mon, 2008-10-27 at 12:46 -0400, Matt Jonkman wrote:
> We are not talking snort. This is totally different.

Okay, then I don't have objections :)

While you are add it, here's a feature I meant to add to Snort years
ago: The ability to copy matched text into a variable used for further
matching.

My idea to implement two new keywords, one to store data into a temp
variable, and one to match the temp variable against data that was valid
for the lifetime of the session (and only available for that session).
Too bad I don't remember the actual use case for it.... but it should
have looked something like this:

content:"http\://"; store:7,2,' ',1;

Different rule (in the same session) could then use:
content:"blah"; match:12,1;

Parameters for store:
1st: Offset from last match (content, isdataat, etc)
2nd: Type of end match: 1: 3rd param is length
                        2: 3rd para is ending char match
3rd: End match: Either a length (copy 10 bytes) or an end match (in
above example, a space)
4th: Number of session variable.

Parameters for match:
1st: Offset from previous match.
2nd: Variable number to match.

Above example would store the domain name after http:// (until reaching
a space) in variable 1. The second rule using match would check if the
data contained in variable 1 is present 12 bytes after blah.


I think one of the reasons it never got implemented (besides there being
workarounds for the specific issue in the past) was that it could easily
bloat the memory of session streams since any data matching the first
rule would alloc memory for the variable and tag it into the data
associated with the stream. It only would be removed if the stream data
is discarded. Considering there could be dozens/hundreds/thousand of
matches on the first rule, it would mean dozen/hundreds/thousand times
the length of the variable (plus some pointers) of memory overhead.


Anyway, since you working on something new, perhaps implementing the
ability to save data from sniffed traffic for later matching could be
implemented more efficiently.

Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081027/52e09fb9/attachment.sig>


More information about the Discussion mailing list