Snort mailing list archives
Re: Issues with search engines - ac_full in Snort 3
From: Oskar Olsson <oskarol () student chalmers se>
Date: Tue, 6 Mar 2018 16:20:20 +0000
Hi Russ!
First of all, thank you for taking your time helping us.
We tried to disable all the inspectors from the config but this did not seem to help (we still had one inspector
loading - file_mime_process that created one additional state machine for some header patterns, namely :
{ "Content-type:", 13, HDR_CONTENT_TYPE },
{ "Content-Transfer-Encoding:", 26, HDR_CONT_TRANS_ENC },
{ "Content-Disposition:", 20, HDR_CONT_DISP })
not sure if this was the one you meantioned, but when we run Snort in gdb, this happens after compilation of the state
machine that our rules are loaded into)
The image we attached in the previous mail displayed output by a printing function we wrote ourselves. To give you
something you are familiar with, we have attached a new image with the output from acsmPrintDetailInfo2(acsm) and
acsmPrintSummaryInfo2() called before returning from acsmCompile2(acsm).
So the summary says we only have one pattern (which should be "GET" seen in state 3) and only six transitions, but the
output suggest otherwise. Also the format can clearly be seen to be equals 256 for state 3 while it is 0 for the
others. It looks kind of strange, but maybe we are missing something that adds additional patterns. However, in that
case it should have had a transition from G to some state in state 0 and also mention it in the summary, right?
We have not changed the code so i guess the problem should be replicable if you would like to try it. We are using a
modified version of the default snort.lua file, with the difference that we now commented out the inspectors and we
have previously added "search_engine= { search_method = 'ac_full'}" to use the full matrix format.
If you have time to think of any additonal reasons to this behavior, it would be very much appriciated!
Best regards,
Oskar and Linus
________________________________
Från: Russ <rucombs () cisco com>
Skickat: den 6 mars 2018 13:31:30
Till: Oskar Olsson; snort-devel () lists snort org
Ämne: Re: [Snort-devel] Issues with search engines - ac_full in Snort 3
Hi Oskar and Linus,
Yes, we can see the output. What did you use to generate it?
I suspect you are seeing the results of other uses of the search method which occur via SearchTool. If you remove all
inspectors from your conf you can minimize that "noise" but file_id will initialize even when not explicitly configured
so you may want to comment that out or explicitly set the method by SearchTool to something else.
Let me know if that helps.
Thanks
Russ
On 3/6/18 5:52 AM, Oskar Olsson wrote:
Hello there Snort-devel!
We are two students working with Snort 3 for our master thesis which relates to the pattern matching in Snort.
We noticed that when we try to print our state machine that we build as AC_FULL in acsmx2, we get very strange
transitions.
The problem is that, even with a single rule with content:GET, the state machine contains multiple transition states
that points to very high numbered states, even though the machine only contains 4 states.
Another strange thing is that the format of each state can vary and be values that should not be possible, for example
it would be 256 for what we think is the state that contains the match of the rule. We have tested code from Snort 2
and also using the standard AC machine (acmx.cc) and these seem to be producing a valid state machine.
To clarify: Using a simple content rule : alert tcp any any -> any any (msg: "Content Rule"; content: "GET"; sid:1;)
we get states that contains multiple transitions to strange states. We wonder if someone has stumbled upon this problem
previously or know what might cause this strange behavior.
We have attached an image to this email showing the output of our print, not sure you can view it as this is the first
time we ask anything on this mail list.
(If you can view the image, each section is a state and its transitions, the two first numbers are format and output)
Best Regards,
Oskar and Linus
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
Snort Blog<http://blog.snort.org/>
blog.snort.org
Just released: Snort Subscriber Rule Set Update for 02/22/2018 We welcome the introduction of the newest rule release
from Talos. In this release we introduced 41 new ...
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Issues with search engines - ac_full in Snort 3 Oskar Olsson (Mar 06)
- Re: Issues with search engines - ac_full in Snort 3 Russ via Snort-devel (Mar 06)
- Re: Issues with search engines - ac_full in Snort 3 Oskar Olsson (Mar 06)
- Re: Issues with search engines - ac_full in Snort 3 Oskar Olsson (Mar 08)
- Re: Issues with search engines - ac_full in Snort 3 Russ via Snort-devel (Mar 08)
- Re: Issues with search engines - ac_full in Snort 3 Oskar Olsson (Mar 19)
- Re: Issues with search engines - ac_full in Snort 3 Oskar Olsson (Mar 06)
- Re: Issues with search engines - ac_full in Snort 3 Russ via Snort-devel (Mar 06)