[Snort-users] PCRE and cross packet matching

Patrick Mullen pmullen at ...1935...
Fri Aug 3 11:43:40 EDT 2012


Vito,

> does snort pcre signatures match cross-packets content?

The answer isn't a simple yes or no, unfortunately.  But thankfully,
the answer isn't complicated, either.

As packets come across the wire individually, you can think of them as
completely separate documents.  So no, you cannot match across
multiple packets in this way much like you can't match in two
different documents inside a normal regular expression.

However, snort will (depending on your configuration) reassemble
multiple packets into a "super packet" and feed that back through the
system.  The pcre could then match on the contents of multiple packets
because it would see them all together as a single "document."

There are still limitations, of course, largely based upon performance
considerations.  Namely, if the start of the pcre is at the beginning
of the first packet and the ending of the match is 3000 bytes later in
another packet, the pcre will probably not match because it'll be too
slow and snort will give up in the interest of not dropping packets.
Also, you would have to make sure that the relevant packets were
assembled together and that the stream reassembler is running on that
port.

Is this a general question, or do you have a particular pcap and rule
in mind that is not alerting for you?  If you want to share your pcap
and rule with me I'd be happy to take a look and let you know if it
should alert or why it should not alert and if possible I can provide
some alternative strategies to hopefully get the results you want.


Thanks,

~Patrick
-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT




More information about the Snort-users mailing list