[Snort-users] question about paf

Hyunseok hyunseok at ...6185...
Thu Dec 18 16:16:50 EST 2014


Thanks for your reply and clarification.

On Thu, Dec 18, 2014 at 11:35 AM, Russ Combs (rucombs) <rucombs at ...589...>
wrote:
>
>
>  ------------------------------
>
> * There are ways to deal with the limits though.  If a PDU must be split,
> Snort shifts the split point by a random amount to make it less
> predictable.  Also, the issue you bring up could be handled by setting a
> flow bit on an earlier PDU or PDU part and checking that when detecting a
> later PDU or PDU part.  Also, preprocessors check for any conditions that
> must be detected before the PDU is assembled.
>

As you said, flowbits could be one way to correlate detections across
blocks.  But I'm still not sure whether that's a real solution.  Might be a
contrived example, but say there is a known attack string of 48K length in
http payload.  Then with 16K max-paf, the attack string will split over
upto 4 consecutive PDU blocks.  Maybe I am not an expert snort rule writer,
but it's doesn't seem trivial or possible to write detection rules to match
such consecutive blocks that hold a long string using flowbits.

-HS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141218/4a734aa2/attachment.html>


More information about the Snort-users mailing list