[Snort-devel] aye caramba! addendum

Todd Lewis tlewis at ...255...
Wed Apr 4 01:01:29 EDT 2001


Geez, I forgot an important element that was present in an earlier
draft of this document: the overall structure of rule!

Here's what the logical structure of the matching portion of a rule
would look like:

(
	(
		((ether, ip) src  "192.168.16.0/24") ||
		((ether, ip) dest "192.168.16.0/24")
	) &&
	(
		((ip, tcp) dest_port "80") ||
		((ip, tcp) src_port  "80") ||
	) &&
	((ip, tcp) flag "A") &&
	(
		((tcp, http) content "etc/passwd") ||
		((tcp, http) content "YaBB.pl") ||
	) &&
	((pcap, ether) vlan "ox34")
)

For this rule, my guess is that the last criterion, '((pcap, ether)
vlan "ox34")', would be evaluated first, since it has a good chance of
failing, in which case the entire rule is shot down and the rest of the
operations can be avoided.

By this example, I am not suggesting an actual rule syntax; as I try
to make clear in my proposal, that's the job of a separate plugin.
This just indicates what would be passed into the matcher and into the
various protocol engines, in this case ether, ip, tcp and http.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list