[Snort-sigs] About content field..

Frank Meerkoetter frank at ...2338...
Wed Apr 7 13:34:18 EDT 2004

On Wed, Apr 07, 2004 at 01:08:05PM -0400, Matt Kettler wrote:
> At 03:35 AM 4/7/2004, Anand Chiney wrote:
> >While writing signatures can we use CONTENT of two different packets?
> >Thks in advance
> Only in some situations. However if all of the following are true, you can 
> do it:
>         1) you are dealing with TCP data.
>         2) Stream4 is enabled with re-assembly.
>         3) both TCP segments occur before any intervening acknowledgement 
> is sent back from the server.
> For example, in SMTP you can't do a rule that will look at both the MAIL 
> FROM: and RCPT TO: commands, since the server will respond with a status 
> message after the first command.
> Also, keep in mind that #3 pretty much restricts you to two segments of TCP 
> data which are adjacent to each other. Typically TCP stacks will send back 
> ACKs every other data packet, so you can't look for two content strings 
> that are separated by 20kb of data in a single rule. If you have to do 
> something like that, consider looking at the tagging feature to cascade two 
> rules together. I've not done it myself, but I've heard this feature works 
> for this kind of thing. 

I fully understood 1) and 2) but could you please explain 3) a little
bit further?

Till now i thought stream4 would broadly operate in the following way:
   a) Gather the data transmitted within a tcp connection.
   b) At a certain point reassemble the data into a fake segment.
      The point is choosen at random, but bounded by memory
   c) Do further processing for the fake packet.

Is this an incorrect assumption?

TIA Frank Meerkoetter
mixed emotions:
	Watching a bus-load of lawyers plunge off a cliff.
	With five empty seats.

More information about the Snort-sigs mailing list