Snort mailing list archives
Re: Snort searching algorithm
From: Venkataramesh Bontupalli <bontupalliv1 () udayton edu>
Date: Tue, 13 May 2014 16:33:02 -0400
Thank you Y M, I am trying to analyse the strength of SNORT searching algorithm so after my initial study and replies from SNORT experts, I think please correct me if I am wrong SNORT architecture is primarily divided into 5 modules 1. *Sniffer *--- Captures the network packets from NIC card 2. *Decoder *--- Extracts the essential contents of the packets like IP address,protocols, payload details etc 3. *Preprocessor *--- Does the decryption and defragmentation of packets into a whole packet and also does initial rule matching (this is reason why we still see some alerts even though we comment all rules in snort.conf) 4. *Detection Engine* -- Compares the pre-processed packet details against user defined snort rules using boyer-moore's or aho corasick search algorithm 5. Alert modules --- Alerts the match results I wrote a simple snort rule so it fires if facebook is opened by matching the content to incoming packets *alert tcp any any -> $HOME_NET any (content:"www.facebook.com <http://www.facebook.com>"; msg:"facebook opened"; sid:2000004;) * I ran wireshark and snort to the same situation and couldn't find the content "facebook" in wireshark display. Snort somehow combines the packets , decrypts and then ran the rule against it to generate the alert. so is there any possibility to see that pre-processed output ? sorry for the big email Thanks and Regards, VenkataRamesh On Tue, May 13, 2014 at 12:43 AM, Y M <snort () outlook com> wrote:
P.S.: Please reply to the entire list so everyone can benefit/participate, and not only to the person who replied to your request. If I am understanding your request right, then there are several preprocessors through which the packet stream passes through before it hits the detection engine (I guess?, logically speaking). For example, packet decoders and the reputation preprocessor get to process packets before the detection engine. However, these preprocessors also have rules (text or SO rules) and will log certain traffic anomalies (rules) or when a blacklisted IP is matched by the reputation preprocessor, respectively. My understanding is that these preprocessors will output directly to the output plugin, as opposed to "consulting" with the detection engine before the actual output is made. YM ------------------------------ Date: Mon, 12 May 2014 18:48:42 -0400 Subject: RE: [Snort-users] Snort searching algorithm From: bontupalliv1 () udayton edu To: snort () outlook com Thanks for the reply... Is there a possibility to log the preprocessor data before it hits the detection engine.. If so what can be the code/conf changes On May 9, 2014 4:25 PM, "Y M" <snort () outlook com> wrote: From the documentation: http://manual.snort.org/node16.html#SECTION00313000000000000000. Look for "config detection: [search-method <method>]", this should help. YM ------------------------------ Date: Fri, 9 May 2014 14:32:27 -0400 From: bontupalliv1 () udayton edu To: snort-users () lists sourceforge net Subject: [Snort-users] Snort searching algorithm Dear snort users, Could anyone please tell me what pattern matching algorithm(s) snort use in detection engine for detecting malicious packet content against its rules content. ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort searching algorithm Venkataramesh Bontupalli (May 09)
- Re: Snort searching algorithm Y M (May 09)
- Message not available
- Re: Snort searching algorithm Y M (May 12)
- Re: Snort searching algorithm Venkataramesh Bontupalli (May 13)
- Message not available
- Re: Snort searching algorithm Y M (May 09)