[Snort-users] PCRE and cross packet matching

Jason Haar Jason_Haar at ...15306...
Sun Aug 5 17:51:46 EDT 2012

In a similar vein, "distance" only applies at the packet level: is there
an equivalent keyword that applies at the stream level?

ie every once in a while we get FPs on good rules due to the rule
triggering on some mid-stream packet, when it is obvious the rule
assumes it will only apply to the first packet. eg just last week our
vulnerability scanner ran and triggered "SMTP vrfy root" as it is meant
to do. That is configured to generate an alert email, *and that alert
email triggered the same rule, even though it was a FP*!! By pure chance
the content of the alert email happened to put "vrfy" followed by "
root" at the beginning of a mid-stream packet

The rule is

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root";
flow:to_server,established; content:"vrfy"; nocase; distance:0;
content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi";
classtype:attempted-recon; sid:3000004; rev:7;)

The "distance:0" is the problem: the *intent* of the rule is to match
against the first chars in a TCP stream, whereas it's hitting the first
chars in any packet of an existing stream. So is there a better way of
doing that?

BTW, if there are no "stream-based" equivalent to such keywords due to
resource/complexity issues, how about creating keywords explicitly for
the first packet of a stream - that is probably 99% of the problem area?



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list