Snort mailing list archives
Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions)
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 Jun 2011 07:40:46 -0400
On Jun 29, 2011, at 7:07 AM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote:
On Jun 29, 2011, at 6:47 AM, Joel Esler wrote:Just a couple thoughts initially, I'll fwd this over to devel for them to look at as well. Are you dropping packets? I am wondering that, because maybe Snort tagged this as a midstream pickup or something. Do you have a pcap? As a rule writing note, "isset" flowbit checks generally should come before content. I have no idea what this rule does though, but I'd want the flowbit check before the content in this case, as it's only a two byte match.Thanks for checking on the above Joel, thats something that's been killing me over the years but I thought it was expected behavior... On the flowbits though: I think we had a discussion here a while ago (years perhaps) that flowbits were checked AFTER all content matching, just before the alert stage. So order would be irrelevant in the rule, no?
You are right in the sense that content matches are put into the fast pattern matcher, and therefore processed before the other rule options, however, you are incorrect in your overall assumption. The fast pattern matcher pre-qualifies the rule to run, but when the rule runs, it runs from left to right in the "detection portion" of the rule. With a two byte content match, which will be pre-qualified on just about every packet going by, you want the flowbit first, to make the rule "fail" in a non-alert case as fast as possible. At low speed, or with a large content match you might not notice much of a difference, but the faster you go, and more the rules you have on, that makes a difference.
That came around when we were trying to get performance gains by using flowbits to avoid costly content checks, but in the end it didn't help, it only prevented events, not load.
Content checks shouldnt be too costly unless they are really small or commonly occurring. (like a two byte.) But it's generally a good practice to write your rules in a standard format every time. Some of the IP blocking conversations may be laid to rest in 2.9.1, so we'll see. J ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 09)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Matthew Jonkman (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Russ Combs (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 30)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)