[Snort-devel] Commentary and patch for snort 1.8.3

Mike Fisk mfisk at ...86...
Sat Mar 23 09:20:01 EST 2002

On Mon, 14 Jan 2002, Martin Roesch wrote:

> Phil Wood wrote:

> > PS1: I've got Mike Fisks pattern match speed up code in hand and am trying
> >      to get it running with 1.8.3.  The good news is that Mike said he
> >      would help me as I try to get the multiple content and uricontent
> >      subroutines updated.  Not there yet.

I have working patches against the current cvs tree, but I think there are
some fundamental problems with the semantics of uricontent and
content-list rules.  The rules for all of these rules are stored in the
same ds_list[] element as normal content rules, but separate
Check[Uri|OR]PatternMatch() functions are added to the OTN function list.  

Unfortuntately, if you have a rule with multiple types of rules, say a
uricontent and a normal content, then both patterns will be searched for
by both Check functions.  The result is that the rule will only trigger if
the pattern specified by the normal content option happens to occur in the
URI.  There will also be an extra search over the entire payload for the
uricontent pattern.

For example, take the following rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC PHP-Nuke remote
file include attempt"; flags:A+; uricontent:"index.php"; nocase;
content:"file=http\://"; nocase; reference:bugtraq,3889;
classtype:web-application-attack; sid:1399; rev:2;)

If I send "file=http\://" in the URI, then the rule will match.  But if I
send it elsewhere in the packet, then the rule doesn't match.  That seems
wrong to me.  Agreed?

I have modified code that handles this correctly by allocating new
ds_list[] elements for these different flavors of content rules:

-- Mike Fisk, Los Alamos National Laboratory
See http://home.lanl.gov/mfisk/ for contact information

More information about the Snort-devel mailing list