[Snort-devel] a doozie of a metaphysical question

tlewis at ...255... tlewis at ...255...
Wed Jun 13 00:16:00 EDT 2001


On Wed, 13 Jun 2001, Martin Roesch wrote:

> You're hosed.  You have to guess or do progressive decomposition of the
> protocols and see which one makes more sense.  Goodbye fast decoding.

Well, yes and no.  I think that there may be a way to trigger a
potentially complex decomposition target protocol determination
(phew!) that is, in the normal case, lightweight.  Fortunately, thanks
to Jon Ramsey's advice, the matching system was designed such that you
can reuse it for things like decomposition target protocol determination,
pre-intrusion-detection-stage NAT-target selection, etc.

> For the sake of sanity and timeliness (unless you want to write a
> application identifier/vulnerability scanner/target-based IDS) it's best
> to assume that the destination port is the protocol.

Well, when the server responds to the target, the "destination port"
is actually the source port.  For now I am using the following logic
for protocol decomposition in the TCP and UDP protocol engines:

   if(ntohs(h->uh_sport)<1024){
      port=ntohs(h->uh_sport);
   } else {
      port=ntohs(h->uh_dport);
   }
   f->protocol= ( (SPM_UDP << 24) | port );

That should be good enough for a good, long while; adding the >1024
well-known ports to the set of "0:1023" would make it last even longer.

Or, it would if I were actually coding something.  Not that I am.
Go back to whatever you were doing before.  If there is an NIDS under
development, then you'll hear about it when it's fully operational.
This thread never existed.

8^)

--
Todd Lewis
tlewis at ...255...






More information about the Snort-devel mailing list