Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: 3D linkx in snort

  1. #11
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Yes I have been tying to think of an anaology. Array is the best term. Snort then uses a "pointer" to match items in the array. When a packet arrive snort navigates through the array depending on the protocol etc.

  2. #12
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    here is how i understand it tell me if i am wrong.

    snort uses those 3d links to compare the packets. it first searchs for the type, then the header, and then passes it to the correct rule file, is that right.

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    qod: Close.... Have a cigar anyway..... ;)

    The array is made up from the rules themselves since there is a certain amount of commonality in many rules. Lets try a simplified version.

    4 rules: (silly examples that are badly written - but I want them simple.....)

    alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 1234 (msg: "1234: The word 'Dog'"; content: "Dog"; flow:from_server,established; classtype: silly-example;)

    alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 1234 (msg: "1234: The word 'Cat'"; content: "Cat"; flow:from_server,established; classtype: silly-example;)

    alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 4321 (msg: "4321: The word 'Dog'"; content: "Dog"; flow:from_server,established; classtype: silly-example;)

    alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 4321 (msg: "4321: The word 'Cat'"; content: "Cat"; flow:from_server,established; classtype: silly-example;)

    So, at startup The Pig, (Snort), reads the rules and sets up a grid like so, (this is the first dimension and it may not be the exact way The Pig does it but it's the concept I'm trying to get across...... Note: This is a 2D layer.)

    External 80 Internal 1234 Dog 1234: The word 'Dog'

    The second layer will be, (now we are 3D and the "_________" is there as a spacer because AO trims the leading spaces):

    _____________________Cat 1234: The word 'Cat'

    3rd layer

    _________________4321 Dog 4321: The word 'Dog'

    4th Layer

    ______________________Cat 4321: The word 'Cat'

    So when a packet comes in that is coming from an external server on port 80 to port 4321 on the internal network and contains the word "Cat" The Pig will look at the first layer of the grid and follow this pattern:

    1. Search 1st column for variable match "EXTERNAL" - have variable match row 1 - have other matching layers
    2. Search col 2 for port 80 - port 80 found - have other matching layers - move to column 3
    3. Search for "Internal" - Internal found - have other matching layers - move to column 4
    4. Search for 4321 - not found - step back a layer - check 4321 - not found step back a layer - FOUND - move to column 5 - have other matching layers
    5. Find "Cat" - not found go back a layer - No more layers - match "cat" Found.
    6. Create alert containing message "4321: The word 'Cat'"

    If you follow that then you can see how making the 3D grid of similar rules speeds up the search capability of The Pig. Doing "match and moves" consists of, overall, less comparisons than taking each rule one at a time and making the six, (in this case), comparisons required for each rule.

    I hope that helps - it is a little odd to grasp but it is a good way of ensuring The Pig can process the maximum data in the minimum time.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    i think i get it now.
    snort loads the rules in a 2D layer, and then uses the 3D layer for better searching for the rule

  5. #15
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It loads groups of rules parameters that are similar in the front layer and in the subsequent layers are the variations on those groups so that if is gets so far down layer one and finds no match it can move backwards through the layers trying to find a match amongst the variations. As soon as it does it produces an alert. If it gets to the deepest layer and still finds no match then the packet passes the test and no alert is generated.

    Think of it kind of like looking at a rubix cube from the side. What you see is a 2D "grid". That grid is analagous to the first layer. Once you fail to find a match in the first layer's data you move back to the second layer at the point at which you failed to match in the first layer and search, then on to the third if no match is found on the second. If no match is found on the third then the packet "falls out of the back" or "passes the test" and generates no alert.

    You're getting there.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #16
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    thanks i think i understand it better now. just need some more reasearch on it and how snort goes thru rules.

    just a quik question, are you limited to only 3 dimensions and what do the 3 dimentions represent.

    for example the
    1st dimension represents the TCP header
    the 2nd represents the port
    and the 3rd represents the contents

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    As The Pig goes through the rules it creates the 3D grid that matches similar characteristics of rules into the grid.... The more "common" characteristics a series of rules have the more they will be "condensed" into the grid so that when x number of characteristics have been matched, rather than starting again, The Pig can step back a layer and continue looking for a match..... The more commonality in a set of rules the deeper the number of layers will be for the commonality - thus the total depth of the entire cube will be greater for some rule sets than others. Picture the Rubics Cube as you think of the grid, but remember that the grid will be a "mega" Rubic's Cube.... because it relies on the deepest number of layers of the ruleset that contains the most commonality with it.

    BTW, thanks for making me look at this in more detail......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    that is what i am here for

    any ways just one more question, why does the pig go backwards and not forward?????

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Not sure what you mean by "backwards"

    Look at p.120. The Pig runs it's searches almost exactly in the order the rule is written, (Chain, RTN's, (Protocol, Source IP, Detsination IP, Source Port, Destination Port), OTN's (the 35 possible options)).

    So to me, that is going forwards..... It's logical though. What would be the point of matching he content "Dog" and looking back up the tree only to find that the content was for a TCP packet while the packet being analyzed is, in fact, a UDP packet. Bunch of time wasted there by finding what is, after all, the crux of the rule - but finding it in the wrong typpe of packet.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    thanks tiger shark

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •