[Snort-sigs] About content field..
frank at ...2338...
Wed Apr 7 13:34:18 EDT 2004
On Wed, Apr 07, 2004 at 01:08:05PM -0400, Matt Kettler wrote:
> At 03:35 AM 4/7/2004, Anand Chiney wrote:
> >While writing signatures can we use CONTENT of two different packets?
> >Thks in advance
> Only in some situations. However if all of the following are true, you can
> do it:
> 1) you are dealing with TCP data.
> 2) Stream4 is enabled with re-assembly.
> 3) both TCP segments occur before any intervening acknowledgement
> is sent back from the server.
> For example, in SMTP you can't do a rule that will look at both the MAIL
> FROM: and RCPT TO: commands, since the server will respond with a status
> message after the first command.
> Also, keep in mind that #3 pretty much restricts you to two segments of TCP
> data which are adjacent to each other. Typically TCP stacks will send back
> ACKs every other data packet, so you can't look for two content strings
> that are separated by 20kb of data in a single rule. If you have to do
> something like that, consider looking at the tagging feature to cascade two
> rules together. I've not done it myself, but I've heard this feature works
> for this kind of thing.
I fully understood 1) and 2) but could you please explain 3) a little
Till now i thought stream4 would broadly operate in the following way:
a) Gather the data transmitted within a tcp connection.
b) At a certain point reassemble the data into a fake segment.
The point is choosen at random, but bounded by memory
c) Do further processing for the fake packet.
Is this an incorrect assumption?
TIA Frank Meerkoetter
Watching a bus-load of lawyers plunge off a cliff.
With five empty seats.
More information about the Snort-sigs