P. 1


|Views: 37|Likes:
Published by Luis Riobueno

More info:

Published by: Luis Riobueno on Feb 19, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





The content matching portion of the detection engine has recursion to handle a few evasion cases. Rules
that are not properly written can cause Snort to waste time duplicating checks.

The way the recursion works now is if a pattern matches, and if any of the detection options after that
pattern fail, then look for the pattern again after where it was found the previous time. Repeat until the
pattern is not found again or the opt functions all succeed.

On first read, that may not sound like a smart idea, but it is needed. For example, take the following rule:

alert ip any any -> any any (content:"a"; content:"b"; within:1;)

This rule would look for “a”, immediately followed by “b”. Without recursion, the payload “aab” would
fail, even though it is obvious that the payload “aab” has “a” immediately followed by “b”, because the first
”a” is not immediately followed by “b”.

While recursion is important for detection, the recursion implementation is not very smart.

For example, the following rule options are not optimized:

content:"|13|"; dsize:1;

By looking at this rule snippit, it is obvious the rule looks for a packet with a single byte of 0x13. However,
because of recursion, a packet with 1024 bytes of 0x13 could cause 1023 too many pattern match attempts
and 1023 too many dsize checks. Why? The content 0x13 would be found in the first byte, then the dsize
option would fail, and because of recursion, the content 0x13 would be found again starting after where the
previous 0x13 was found, once it is found, then check the dsize again, repeating until 0x13 is not found in
the payload again.

Reordering the rule options so that discrete checks (such as dsize) are moved to the begining of the rule
speed up Snort.

The optimized rule snipping would be:

dsize:1; content:"|13|";

A packet of 1024 bytes of 0x13 would fail immediately, as the dsize check is the first option checked and
dsize is a discrete check without recursion.

The following rule options are discrete and should generally be placed at the begining of any rule:

• dsize
• flags
• flow
• fragbits


• icmp id
• icmp seq
• icode
• id
• ipopts
• ip proto
• itype
• seq
• session
• tos
• ttl
• ack
• window
• resp
• sameip

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->