[Snort-devel] Multi-Packet detection code

anonpoet jason at ...506...
Fri Aug 17 17:06:32 EDT 2001


Well, I just started testing an engine that will detect packets across
multiple packets.  I'm going to stick it in the next version of Hogwash.
I was wondering if anyone here was interested.

It does a signature match like "content", but it also checks for a
partial match at the beginning and end of the packets.  If there is a
partial match at the end, the packet it sent to a cache.  If there is a
partial match at the beginning, it checks to see if the preceeding
packet in TCP seq order is in the cache.  If so, it check across the two
packets for a signature match.

All the memory is alloc'ed up front so I'm not calling *alloc or free
during run time, and the cache is self-managing so it doesn't have to
perform maintenance functions like searching for old entries and
deleting them.

It's pretty light wieght.  I tested the state engine on an active DS3
and it handled it easily.

The rules look like this:

preprocessor conversation

alert tcp any any <> any 21 (msg: "SITE EXEC"; multi-nocase:"site
exec";)
alert tcp any any <> any 80 (msg: "perl.exe"; multi:"perl.exe";)

Let me know what you think.

Jason
jason at ...506...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_conversation.c
Type: text/x-c
Size: 8561 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010817/5b202a57/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_conversation.h
Type: text/x-c
Size: 1247 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010817/5b202a57/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sp_multi_content.h
Type: text/x-c
Size: 532 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010817/5b202a57/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sp_multi_content.c
Type: text/x-c
Size: 6081 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010817/5b202a57/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decode.h
Type: text/x-c
Size: 26703 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010817/5b202a57/attachment-0004.bin>


More information about the Snort-devel mailing list