[Snort-sigs] [Fwd: CERT Advisory ..] Protocol/Application decoder

Aaron Richard Walters awalters at ...379...
Tue Feb 26 17:07:11 EST 2002

	I was looking at something like this a couple of months ago for a
project I was working on. I ended up writing an Apache module (similar to
that discussed in [1] to get the information I needed. I ran into a
number of problems trying to get Snort to do what I needed. I think
protocol/application decoder could be useful.  Especially if that
information would be available through the Packet structure in decode.h.
One problem that you might face, if it still exists, would be the default
128 byte flush point set in spp_stream4.c.  This caused me all types of
problems on doing content searches and negated searches on the URI.

If you are interested in any of the other problems I faced let me know.

For what it's worth,


[1] Application-Integrated DAta Collection for Security Monitoring. 
	Magnus Almgren and Ulf Lindqvist, RAID 2001

> I the only way I can really think of catching a rule like this would
> have to involve a regular expression over a stream content which would
> be a very slow operation unless we did a protcol/application decoder
> that saw HTML and one could write rules that said
> html_tag: "embed"; attribute: "src", value_length:....." or somehting
> similar.
> or something similar.  If anyone has any brainstorming ideas on how to
> handle this, I'm all ears.
> What will probably be done for this is wait for proof of concept and
> see how it works but this does look like the type of stuff we want to
> be able to allow plugins to be developed for in snort 2.0
> -- 

More information about the Snort-sigs mailing list