[Snort-users] question about paf
hyunseok at ...6185...
Thu Dec 18 16:16:50 EST 2014
Thanks for your reply and clarification.
On Thu, Dec 18, 2014 at 11:35 AM, Russ Combs (rucombs) <rucombs at ...589...>
> * There are ways to deal with the limits though. If a PDU must be split,
> Snort shifts the split point by a random amount to make it less
> predictable. Also, the issue you bring up could be handled by setting a
> flow bit on an earlier PDU or PDU part and checking that when detecting a
> later PDU or PDU part. Also, preprocessors check for any conditions that
> must be detected before the PDU is assembled.
As you said, flowbits could be one way to correlate detections across
blocks. But I'm still not sure whether that's a real solution. Might be a
contrived example, but say there is a known attack string of 48K length in
http payload. Then with 16K max-paf, the attack string will split over
upto 4 consecutive PDU blocks. Maybe I am not an expert snort rule writer,
but it's doesn't seem trivial or possible to write detection rules to match
such consecutive blocks that hold a long string using flowbits.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users