[Snort-sigs] How to NOT match on packets or streams

Martin Olsson elof at ...1288...
Mon Feb 2 07:52:03 EST 2004


On Mon, 2 Feb 2004, Brian wrote:
> > One captured packet contain "USER foo".
> > The next one contain "PASS %bar".
> > The generated über-packet contain: "USER foo<return>PASS %bar<return>".
>
> While you can use flow "no_stream" option to do what you want, how
> about we fix the rule, instead of using the flow option as a kludge.
>
>     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,7776; classtype:misc-attack; sid:2178; rev:4;)

Thanx for the new rule.

Your hint about the no_stream option made me look at the right place in
the manual. Here I find another option, only_stream, that answered my
second question (in my previous mail).

But...

What is the default mode when neither no_stream nor only_stream are set?

Given your rule above, will it look for the content and pcre in both the
stream-über-packet and the individual frames? That seems to be a waste of
CPU recources.

/Martin





More information about the Snort-sigs mailing list