[Snort-users] sp_pattern_match : problem or feature?

Fyodor fygrave at ...121...
Wed Aug 16 15:07:57 EDT 2000


Hello,
 I didn't actually notice it right away (oops) but with recent
sp_pattern_match change semantics of `content' (and `content-list')
keywords got changed. First I was thinking of fixing it right away, but it
seems that both ways of handling `content*' keywords might be useful.

To give more details on popped up problem:

orgininal behavior of `content' keyword was, if several `content's are
defined per rule, f.e.

alert tcp any any -> any any (msg: "boomerang"; content: "one piece"; content: "another");

Snort would trigger alert only if packet contains both `one piece' and
`another'. 

However with recent change it would be `if packet contains `one piece'
_OR_ `another': alert would be triggered. 

Actually it might make sense to keep _OR_ for content-list, but new
behaviour breaks certain rules (vbs scripts f.e.) where multiple content
keyword is used.

The question is: how would the snort community prefer this to be
implemented:

1. Leave orginal semantics of `content' rule and leave new semantics for
`content-list'

2. Leave orginal semantics for both `content' and `content-list' and
introduce new set of keywords  to handle _OR_ operations with content

3. Put extra keyword defining semantics per rule (*ugh* should be too much
hassle.. ;-))


BTW if anyone feels like testing still probably buggy but seems to work
basic regex support ( keyword `regex', supported charactes: `*', `?' and
`\` for escape, usage similar to nocase), it's been commited tonight.


any feedback is welcome.

-Fyodor





More information about the Snort-users mailing list