what are 3D rules set links in snort?? and what do they do?? i never understood that. :)
Printable View
what are 3D rules set links in snort?? and what do they do?? i never understood that. :)
I've just upgraded my snort to version 2.0.5 and I have no idea of what rules you are talking about. Can you be more specific?
this is from http://www.snort.org/docs/lisapaper.txt
Snort - Lightweight Intrusion Detection for Networks
Martin Roesch
[email protected]
The detection engine
Snort maintains its detection rules in a two dimensional linked list of
what are termed Chain Headers and Chain Options. These are lists of rules that
have been condensed down to a list of common attributes in the Chain Headers,
with the detection modifier options contained in the Chain Options. For
example, if forty five CGI-BIN probe detection rules are specified in a given
Snort detection library file, they generally all share common source and
destination IP addresses and ports. To speed the detection processing, these
commonalities are condensed into a single Chain Header and then individual
detection signatures are kept in Chain Option structures.
Figure 3 - Rule Chain logical structure
-------------------------------------------------------------------------------
------------------------ ------------------------ -----
| Chain Header | | Chain Header | | Chai
| | | | |
| Source IP Address | | Source IP Address | | Sour
| Destination IP Address |--------->| Destination IP Address |--------->| Dest
| Source Port | | Source Port | | Sour
| Destination Port | | Destination Port | | Dest
| | | | |
------------------------ ------------------------ -----
| |
| |
| |
\|/ \|/
-----------V--------- -----------V---------
| Chain Option | | Chain Option |
| | | |
| Content |
| TCP Flags |
| ICMP Codes/types |
| Payload Size |
| etc. |
| |
---------------------
|
|
|
\|/
-----------V---------
| Chain Option |
| |
| Content |
| TCP Flags |
| ICMP Codes/types |
| Payload Size |
| etc. |
| |
---------------------
|
|
-------------------------------------------------------------------------------
These rule chains are searched recursively for each packet in both
directions. The detection engine checks only those chain options which have
been set by the rules parser at run-time. The first rule that matches a
decoded packet in the detection engine triggers the action specified in the
rule definition and returns.
---------------------------------------------------------------------------------------------------------------------------
**********************************************************************************
any one know what this is talking about, i could not understand it.
where does the tern "d3 ruleset link" come in context?
qod: I'd kinda forget about that. The paper is about 3 years old and refers back to version 1.5 or so. We are at 2.0.5 right now and the detection engine no longer chains similar rules in the way that it did back then.
no but i was reading the book snort 2 : intrusion detection and it still talks about 3 Dimentional links, that i still do not understand how they work or why they are needed??
what page.... there's nothing in the index and I need a reminder of what it is talking about.
Yes, I have the book too and I also searched snort.org so I am confused.
ah 114-115 118-119
Page 118 Header "What is a 3d linked list"
It's just a way to look at how (or map) how the rules are processed?
Still consuming.
Ok..... All Snort is doing is creating an array of sorts out of the rules themselves to aid in speeding up rule matches. Frankly I can't think of a better way of explaining it than the book does. Look at the diagram of the tree as you read the text on the pages mentioned by Roadclosed and it should become crystal clear.....
Yes I have been tying to think of an anaology. Array is the best term. Snort then uses a "pointer" to match items in the array. When a packet arrive snort navigates through the array depending on the protocol etc.
here is how i understand it tell me if i am wrong.
snort uses those 3d links to compare the packets. it first searchs for the type, then the header, and then passes it to the correct rule file, is that right.
qod: Close.... Have a cigar anyway..... ;)
The array is made up from the rules themselves since there is a certain amount of commonality in many rules. Lets try a simplified version.
4 rules: (silly examples that are badly written - but I want them simple.....)
alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 1234 (msg: "1234: The word 'Dog'"; content: "Dog"; flow:from_server,established; classtype: silly-example;)
alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 1234 (msg: "1234: The word 'Cat'"; content: "Cat"; flow:from_server,established; classtype: silly-example;)
alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 4321 (msg: "4321: The word 'Dog'"; content: "Dog"; flow:from_server,established; classtype: silly-example;)
alert tcp EXTERNAL_NET 80 -> INTERNAL_NET 4321 (msg: "4321: The word 'Cat'"; content: "Cat"; flow:from_server,established; classtype: silly-example;)
So, at startup The Pig, (Snort), reads the rules and sets up a grid like so, (this is the first dimension and it may not be the exact way The Pig does it but it's the concept I'm trying to get across...... Note: This is a 2D layer.)
External 80 Internal 1234 Dog 1234: The word 'Dog'
The second layer will be, (now we are 3D and the "_________" is there as a spacer because AO trims the leading spaces):
_____________________Cat 1234: The word 'Cat'
3rd layer
_________________4321 Dog 4321: The word 'Dog'
4th Layer
______________________Cat 4321: The word 'Cat'
So when a packet comes in that is coming from an external server on port 80 to port 4321 on the internal network and contains the word "Cat" The Pig will look at the first layer of the grid and follow this pattern:
1. Search 1st column for variable match "EXTERNAL" - have variable match row 1 - have other matching layers
2. Search col 2 for port 80 - port 80 found - have other matching layers - move to column 3
3. Search for "Internal" - Internal found - have other matching layers - move to column 4
4. Search for 4321 - not found - step back a layer - check 4321 - not found step back a layer - FOUND - move to column 5 - have other matching layers
5. Find "Cat" - not found go back a layer - No more layers - match "cat" Found.
6. Create alert containing message "4321: The word 'Cat'"
If you follow that then you can see how making the 3D grid of similar rules speeds up the search capability of The Pig. Doing "match and moves" consists of, overall, less comparisons than taking each rule one at a time and making the six, (in this case), comparisons required for each rule.
I hope that helps - it is a little odd to grasp but it is a good way of ensuring The Pig can process the maximum data in the minimum time.
i think i get it now.
snort loads the rules in a 2D layer, and then uses the 3D layer for better searching for the rule
It loads groups of rules parameters that are similar in the front layer and in the subsequent layers are the variations on those groups so that if is gets so far down layer one and finds no match it can move backwards through the layers trying to find a match amongst the variations. As soon as it does it produces an alert. If it gets to the deepest layer and still finds no match then the packet passes the test and no alert is generated.
Think of it kind of like looking at a rubix cube from the side. What you see is a 2D "grid". That grid is analagous to the first layer. Once you fail to find a match in the first layer's data you move back to the second layer at the point at which you failed to match in the first layer and search, then on to the third if no match is found on the second. If no match is found on the third then the packet "falls out of the back" or "passes the test" and generates no alert.
You're getting there..... ;)
thanks i think i understand it better now. just need some more reasearch on it and how snort goes thru rules.
just a quik question, are you limited to only 3 dimensions and what do the 3 dimentions represent.
for example the
1st dimension represents the TCP header
the 2nd represents the port
and the 3rd represents the contents
As The Pig goes through the rules it creates the 3D grid that matches similar characteristics of rules into the grid.... The more "common" characteristics a series of rules have the more they will be "condensed" into the grid so that when x number of characteristics have been matched, rather than starting again, The Pig can step back a layer and continue looking for a match..... The more commonality in a set of rules the deeper the number of layers will be for the commonality - thus the total depth of the entire cube will be greater for some rule sets than others. Picture the Rubics Cube as you think of the grid, but remember that the grid will be a "mega" Rubic's Cube.... because it relies on the deepest number of layers of the ruleset that contains the most commonality with it.
BTW, thanks for making me look at this in more detail...... :cool:
that is what i am here for :D
any ways just one more question, why does the pig go backwards and not forward?????
Not sure what you mean by "backwards"
Look at p.120. The Pig runs it's searches almost exactly in the order the rule is written, (Chain, RTN's, (Protocol, Source IP, Detsination IP, Source Port, Destination Port), OTN's (the 35 possible options)).
So to me, that is going forwards..... It's logical though. What would be the point of matching he content "Dog" and looking back up the tree only to find that the content was for a TCP packet while the packet being analyzed is, in fact, a UDP packet. Bunch of time wasted there by finding what is, after all, the crux of the rule - but finding it in the wrong typpe of packet.
thanks tiger shark