[Snort-users] PCRE and cross packet matching

Marcos Rodriguez marcos.e.rodriguez at ...11827...
Fri Aug 3 12:11:15 EDT 2012


On Fri, Aug 3, 2012 at 11:58 AM, Tony Robinson <trobinson at ...1935...>wrote:

> Just to further explain Patrick's message,
>
> While it isn't explicitly spelled out, Patrick is more or less referring
> to frag3 and stream 5. If you utilize ip defragmentation, and stream
> reassembly, we have an entire TCP stream that the rule can work against. If
> frag3/s5 are not being used to defragment/reassemble packets and TCP
> segments, you will only have individual packets to work with.
>
> A good, general rule of thumb for using PCRE in this instance is to have
> some sort of a content match prior to using PCRE so snort knows where in
> the packet or stream to use the PCRE engine to shred through the data from
> that point onward, so you don't run into the problem of snort giving up on
> a PCRE match.
>
> hope this helps,
>
> -Tony
>
>
> On Fri, Aug 3, 2012 at 9:53 AM, vpiserchia at ...11827... <vpiserchia at ...11827...
> > wrote:
>
>> Hello Snort Gurus
>>
>> I have the following question for you:
>>
>> does snort pcre signatures match cross-packets content?
>>
>> I googled a bit and no other answers found about this topic, sry if aI
>> missed any
>>
>> regards
>> vito piserchia
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>  Tony Robinson
> Security Consultant I
> SourceFIRE Professional Services Division
>


Hi Guys,

That's a great write up, and I vote for its inclusion into the Snort manual
under PCRE.

marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120803/48087dc6/attachment.html>


More information about the Snort-users mailing list