[Snort-users] PCRE and cross packet matching

vpiserchia at ...11827... vpiserchia at ...11827...
Mon Aug 6 07:34:48 EDT 2012

Hello Patrick, Tony

Thank you for your exhaustive answers.

Before all I have to say that the first experiments were made with the
module and I can confirm that in this case the PCRE signature is not
able to match a cross packet content.

The way I launched snort is like this:

snort --pid-path /root/snort/ -D \
        -c /etc/snort/snort.conf -i eth1,eth2 \
        -l /root/snort/ -A fast \
        --daq-dir /opt/daq/lib/daq --daq pfring --daq-mode passive

Today I made more tests and changed a bit the setup of my experiments,
that is now I use the "standard" PCAP DAQ module
in this way:

snort --pid-path /root/snort/ -D \
        -c /etc/snort/snort.conf -i eth1,eth2 \
        -l /root/snort/ -A fast \
        --daq-dir /opt/daq/lib/daq --daq pcap --daq-mode passive

with this setup the PCRE signature now works well and alert as expected

So my new question for the list is:
has anyone already experienced this behaviour with the pfring daq module
and pcre signatures?

best regards

On 08/03/2012 05:58 PM, Tony Robinson wrote:
> Just to further explain Patrick's message,
> While it isn't explicitly spelled out, Patrick is more or less
> referring to frag3 and stream 5. If you utilize ip defragmentation,
> and stream reassembly, we have an entire TCP stream that the rule can
> work against. If frag3/s5 are not being used to defragment/reassemble
> packets and TCP segments, you will only have individual packets to
> work with.
> A good, general rule of thumb for using PCRE in this instance is to
> have some sort of a content match prior to using PCRE so snort knows
> where in the packet or stream to use the PCRE engine to shred through
> the data from that point onward, so you don't run into the problem of
> snort giving up on a PCRE match.
> hope this helps,
> -Tony
> On Fri, Aug 3, 2012 at 9:53 AM, vpiserchia at ...11827...
> <mailto:vpiserchia at ...11827...> <vpiserchia at ...11827...
> <mailto:vpiserchia at ...11827...>> wrote:
>     Hello Snort Gurus
>     I have the following question for you:
>     does snort pcre signatures match cross-packets content?
>     I googled a bit and no other answers found about this topic, sry if aI
>     missed any
>     regards
>     vito piserchia
>     ------------------------------------------------------------------------------
>     Live Security Virtual Conference
>     Exclusive live event will cover all the ways today's security and
>     threat landscape has changed and how IT managers can respond.
>     Discussions
>     will include endpoint security, mobile security and the latest in
>     malware
>     threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
> -- 
> Tony Robinson
> Security Consultant I
> SourceFIRE Professional Services Division

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120806/d2897fbd/attachment.html>

More information about the Snort-users mailing list