Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions)

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 29 Jun 2011 07:40:46 -0400
On Jun 29, 2011, at 7:07 AM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote:


On Jun 29, 2011, at 6:47 AM, Joel Esler wrote:


Just a couple thoughts initially, I'll fwd this over to devel for them to look at as well.

Are you dropping packets?  I am wondering that, because maybe Snort tagged this as a midstream pickup or something.
Do you have a pcap?


As a rule writing note, "isset" flowbit checks generally should come before content.  I have no idea what this rule 
does though, but I'd want the flowbit check before the content in this case, as it's only a two byte match.  




Thanks for checking on the above Joel, thats something that's been killing me over the years but I thought it was 
expected behavior... 

On the flowbits though: I think we had a discussion here a while ago (years perhaps) that flowbits were checked AFTER 
all content matching, just before the alert stage. So order would be irrelevant in the rule, no?


You are right in the sense that content matches are put into the fast pattern matcher, and therefore processed before 
the other rule options, however, you are incorrect in your overall assumption. The fast pattern matcher pre-qualifies 
the rule to run, but when the rule runs, it runs from left to right in the "detection portion" of the rule. With a two 
byte content match, which will be pre-qualified on just about every packet going by, you want the flowbit first, to 
make the rule "fail" in a non-alert case as fast as possible. At low speed, or with a large content match you might not 
notice much of a difference, but the faster you go, and more the rules you have on, that makes a difference. 



That came around when we were trying to get performance gains by using flowbits to avoid costly content checks, but 
in the end it didn't help, it only prevented events, not load.


Content checks shouldnt be too costly unless they are really small or commonly occurring. (like a two byte.)  But it's 
generally a good practice to write your rules in a standard format every time. 

Some of the IP blocking conversations may be laid to rest in 2.9.1, so we'll see. 

J
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: