[Oisf-users] distance, uricontent
Geoff Whittington
geoff.whittington at gmail.com
Thu Mar 18 16:46:45 UTC 2010
Re: 1. Since snort currently does not fail the signature, then
rejecting the rule could create headaches for users.
Re: 2. I would agree - accept the rule and use the modifiers with the
normalized buffer.
Re: 3. Ignoring the modifiers could change the behaviour of existing
signatures.
I don't really like this idea but: create a configuration switch that
spells out the behaviour of the distance/within modifier to support
older signatures.
On Thu, Mar 18, 2010 at 11:20 AM, Will Metcalf
<william.metcalf at gmail.com> wrote:
> IMHO the implementation in snort is broken. From what I have seen
> distance always starts at the beginning of the normalized buffer
> rather than from the end of the last uricontent match. I don't think
> this is right....
>
> We should do one of the following...
>
> 1. Reject the rule because in snort it really doesn't work.
> 2. Accept the rule and setup distance and within to work against the
> normalized buffer(my vote).
> 3. Accept the rule and ignore distance as in snort it really doesn't work.
>
> Things get weirder when you start to mix and match uricontent,content
> and within/distance. but we will save that for later.
>
> What does the community think?
>
> Regards,
>
> Will
>
> #test 32 uricontent with distance modifier
> #This is broken the sig still fires using two uricontent matches
> distance always starts at the beginning of normalized buffer
> #
> #file allworkandnoplayplain.pcap and allworkandnoplayencoded.pcap
> #alert tcp any any -> any any (msg:"uricontent match against
> /AllWorkAndNoPlayMakesWillADullBoy with distance";
> uricontent:"/AllWorkAndNoPlay"; uricontent:"MakesWillADullBoy";
> distance:17; classtype:bad-unknown; sid:32; rev:1;)
>
> On Thu, Mar 18, 2010 at 9:52 AM, Geoff Whittington
> <geoff.whittington at gmail.com> wrote:
>> Hello,
>>
>> Can someone confirm whether there was a decision about the
>> interpretation of uricontent as a "pattern match"? i.e.
>>
>> uricontent:"BAAD"; uricontent:"FOOD"; distance:0;
>>
>> According to snort:
>>
>> "The distance keyword allows the rule writer to specify how far into a
>> packet Snort should
>> ignore before starting to search for the specified pattern relative to
>> the end of the previous
>> pattern match."
>>
>> Cheers,
>> - Geoff
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list