Snort mailing list archives
Re: Snort 2.9.7.0 Alpha is now available
From: Joshua Kinard <kumba () gentoo org>
Date: Wed, 26 Feb 2014 18:28:51 -0500
On 02/25/2014 10:05 AM, Snort Releases wrote:
Snort 2.9.7 Alpha is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Development section.
[snip]
* A new protected_content rule option that is used to match against a content that is hashed. It can be used to obscure the full context of the rule from the administrator.
This is kinda neat, but, wouldn't it make more sense to call it "hashed_content" instead of "protected_content"? After all, MD5 can be collided, so there's potential for the indicator string to be recoverable, in very limited circumstances. E.g., I took both the MD5 and SHA256 examples from the manual and plugged them into crackstation.net, and got back "HTTP" for both. That won't work in all cases, but it demonstrates that a basic, unsalted hash isn't a whole lot of "protection". Also, any alerts generated by a rule using protected_content would contain the original indicator in the captured packet, and one could simply read the rule text (offset, and the new length parameter) to locate it in that packet. Last, how does protected_content work with the fast-pattern matcher? I see that you cannot use the 'fast_pattern' keyword with it, so what string is it inserting? Is it using the hash and comparing that against a hash of the specified data pulled from the packet's payload? -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 2.9.7.0 Alpha is now available Snort Releases (Feb 25)
- Re: Snort 2.9.7.0 Alpha is now available Joshua Kinard (Feb 26)