[Discussion] Submitted Ideas

Victor Julien lists at inliniac.net
Tue Feb 10 09:12:18 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Fong wrote:
> Matt Jonkman wrote:
> 
>> With global how do we keep streams from walking over each other?
>>
>> Maybe make arrays that the check could be against every element of the
>> array and if a match then there'd eb the reference to the stream it was
>> from and further checks could be done for other vars in just that
>> stream...
> 
> Actually, this was the thought behind the "Variable Blackboard" item.
> Basically, I think that general problem is the storage of derived or
> extracted data -- and this is complicated by namespace and scoping
> issues.  For example, can Julien's storage of pcre extracted data into
> a packet's context be extended for multiple processors with differing
> (opaque) data structures (-- in my field formatter implementation, I
> extended the OptTreeNode data structure)?  Where would we store global
> versus stream-specific data?
> 
>      Could we define a principled and unified approach that would
> reduce the complexity and diversity of accessor/setter methods and
> storage locations?

My idea currently is to have variables that can be set, modified and
read from the rule language. The variables should exist in the following
contexts: pkt, host, flow, global.

The variables should be able to have various types: integer, string,
binary (like flowbits in Snort).

The pkt vars are stored in the packet and discarded once the packet is
gone. The host vars are stored in a host structure that is contained in
a host table. It's available as long as the host is. Same for the flow
in the flowtable. The global vars are just in a global table.

With the integers it should able to do some basic calculations, at least
stuff like less than, bigger than etc. Increment/decrement etc. For the
strings I'm thinking about exact matches, starts with, ends with, etc.
Most of this is inspired by ModSecurity that has a number of these
features and that turns out to be very useful.

The way to set/get/modify from rules is an interesting question. I think
we have a separate discussion on rule syntax going on, maybe it should
be a part of that...

Cheers,
Victor

- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmRRPIACgkQiSMBBAuniMcY7ACeNTMGuP01mzm8wmTIfy0xYBvw
bbsAniutjQj7TfjuIqqqDG/zA91gP3te
=9pj8
-----END PGP SIGNATURE-----



More information about the Discussion mailing list