[Snort-devel] Proposal for Tagged Packets

Matthew Callaway matt at ...807...
Fri Mar 28 04:43:05 EST 2003


Snort crew,

Congrats on 2.0.0rc1.  Pretty exciting to see the official 2.0.0 almost
here.

I've been curious to see how the tag functionality evolves, given the
statement in the 1.9.1 manual that dynamic rules are being phased out.
Taking a look at the 2.0.0rc1 code, in detect.c, I see that the current
tag function appears to log packets for a given duration after a tag
rule is triggered, to allow a person to make decisions about the results
of an attack.

It seems to me that a more powerful function would be to use tags to
apply subsequent rules to a given stream, and thus to allow snort to do
the checking to see if an attack was successful or not.  For example:

Rule 1: look for anonymous ftp login, tag and watch the next N packets
Rule 2: in the tagged stream, look for a different rule match and alert if so.

One way you might do this is in: int Detect(Packet * p):

This is the way it looks right now:

if(CheckTagList(p, &event))
        {
            DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "Matching tag node found, "
                        "calling log functions\n"););

            /* if we find a match, we want to send the packet to the
             * logging mechanism
             */
            CallLogFuncs(p, NULL, NULL, &event);

            return 1;
        }�

What if you did something like this:

if(CheckTagList(p, &event))
        {
            DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "Matching tag node found, "
                        "calling log functions\n"););

            /* if we find a match, we want to send the packet to the
             * detection mechanism again
             */
            retval = Detect(p);

            return retval;
        }�

Together with a new rule option (perhaps) that says something like "tagged".

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous
login success"; content:"230 ";
tagged;
flow:to_client,established; classtype:misc-activity; sid:f00;
rev:1;)

So this would only look for "230 ", a response code for a successful
login, in a tagged session from an established ftp stream.

Now, obviously you'd have to be careful about what side effects this
recursion might have, but you get the idea.  It'd be great if the snort
engine could use tags as just the first sign of a threat, and look at
the following stream in a slightly different way than the network
traffic in general.

Does this make sense, or just crazy talk?

Matt





More information about the Snort-devel mailing list