[Snort-devel] aye caramba! addendum

Todd Lewis tlewis at ...255...
Wed Apr 4 01:01:29 EDT 2001

Geez, I forgot an important element that was present in an earlier
draft of this document: the overall structure of rule!

Here's what the logical structure of the matching portion of a rule
would look like:

		((ether, ip) src  "") ||
		((ether, ip) dest "")
	) &&
		((ip, tcp) dest_port "80") ||
		((ip, tcp) src_port  "80") ||
	) &&
	((ip, tcp) flag "A") &&
		((tcp, http) content "etc/passwd") ||
		((tcp, http) content "YaBB.pl") ||
	) &&
	((pcap, ether) vlan "ox34")

For this rule, my guess is that the last criterion, '((pcap, ether)
vlan "ox34")', would be evaluated first, since it has a good chance of
failing, in which case the entire rule is shot down and the rest of the
operations can be avoided.

By this example, I am not suggesting an actual rule syntax; as I try
to make clear in my proposal, that's the job of a separate plugin.
This just indicates what would be passed into the matcher and into the
various protocol engines, in this case ether, ip, tcp and http.

Todd Lewis
tlewis at ...255...

More information about the Snort-devel mailing list