[Snort-users] Which options determine which packets are matched?

Sweth Chandramouli snort-users at ...2354...
Wed Jun 20 12:36:39 EDT 2001


	I'm building a system that needs to be able to keep
track of different versions of snort filters.  Some of the filters that
I'm going to be cataloguing don't have any easy way to index them, so I've
finally come to terms with the fact that I need to build up a hashed index
of the various fields in the rule, and decide whether or not one rule is
"identical" to a previous rule based on how closely those fields match.

	The fields that I think determine what packets a given
filter matches are, for 1.7-style rules:

* ttl
* tos
* id
* ipoption
* fragbits
* dsize
* flags
* seq
* ack
* itype
* icode
* icmp_id
* icmp_seq
* content
* offset
* depth
* nocase
* rpc

	.  So, in theory, any pair of filters that are identical
for those fields are "the same", even if other options like msg happen
to be different.  Does my list above look right?  Am I missing anything
on it?  Is there anything on it that doesn't actually affect matching?

	Also, is there any documentation on the extensions that 1.8
adds to the options list?  The only examples I can find of those 
extensions are classtype, sid, and rev, and I can't find any 
explanations of what they do (although I have my ideas).

	Thanks,

	Sweth.

-- 
Sweth Chandramouli ; <svc at ...2353...>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 236 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010620/182d4cd8/attachment.sig>


More information about the Snort-users mailing list