[Snort-sigs] How to NOT match on packets or streams

Martin Olsson elof at ...1288...
Mon Feb 2 05:19:04 EST 2004

Is there a keyword that forces a rule to look only at the packets
generated from a reassembled stream, and ignore the real frames that are
captured from the network interface?

In the same mannar, is there a keyword that forces a rule to look only at
the real packets and ignore the generated ones from preprocessors?

Take this rule for instance:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string
attempt"; flow:to_server,established; content:"USER"; nocase; content:"%";
distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack;
sid:2178; rev:1;)

This rule was built to catch a username with a '%'. The author assume
that this string is seen in a single packet, not in a stream.

False positives occurr when stream4 give you a virtual packet
(über-packet) with both the USER login and some other data that accidently
contain a '%'.

One captured packet contain "USER foo".
The next one contain "PASS %bar".
The generated über-packet contain: "USER foo<return>PASS %bar<return>".

The rule won't trigger on any of the two single packets, but it will give
a false alert on the über-packet.

Question 1:
If I add the keyword "rawbytes" to the rule, will it only look at the real
packets, not the über-packet?

Question 2:
Do there exist a keyword for the opposite? If I build a rule designed to
look at the stream, then I don't want to waste CPU recources matching this
rule against every single packet as well.


More information about the Snort-sigs mailing list