[Discussion] Submitted Ideas

Tue Feb 10 08:44:28 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Jonkman wrote:
> Victor Julien wrote:
>> In my prototype code I can already capture vars using pcre substring
>> capturing, although adding an additional way to do this outside of pcre
>> could be interesting too:
>>
>> alert tcp any any -> any $HTTP_PORTS (msg:"HTTP GET URI cap";
>> flow:to_server; content:"GET "; depth:4; pcre:"/^GET
>> (?P<pkt_http_uri>.*) HTTP\/\d\.\d\r\n/G"; noalert; sid:1;)
>>
>> This captures the http uri into the var "pkt_http_uri", which is stored
>> in a packet context. Similarly, "flow_http_uri" stores it in a flow, so
>> other packets in the same flow can access it. I'm thinking about adding
>> the same for 'global', 'host', 'stream' and maybe more...
> 
> With global how do we keep streams from walking over eachother?

You wouldn't. A per flow/stream var would be used then...

A global var would for example just contain the last username that
logged in. Maybe globals aren't very useful for capturing, but more for
stuff like counters, etc.

> Maybe make arrays that the check could be against every element of the
> array and if a match then there'd eb the reference to the stream it was
> from and further checks could be done for other vars in just that stream...

I'm not sure I'm following you here...

Cheers,
Victor

- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmRPmwACgkQiSMBBAuniMfxqACeKe60DF7MSZNBxMiUu83GztL0
6GIAnApP9+GMJR7kC3pH6FkC5HAaxA6F
=qvdf
-----END PGP SIGNATURE-----