Multi-Packet Matching

From Andre Ludwig: Ability to look across packets in a stream, be it 3 packets before or 4 packets ahead. The ability to follow conditions of state that are triggered by packets before or after a "match" would be extremely valuable. (rpc comes to mind, as well as some application layer attacks). Ideally the ability to perform functions against packets (be it arithmetic, comparisons, or functions on "running variables" for a "attack detection set").

The concept here of course is to follow a tcp stream looking for precursory actions that are needed to finesse an endpoint into an exploitable situation. Be it forcing the endpoint to allocate a buffer of X size with XYZ rpc call, that is later exploited by calls to 3 other RPC calls with varying parameters. The critical key is to engineer a system that affords you the flexibility to effectively "emulate" and follow increasingly complex attack scenarios to the point of detecting actual attacks and not simply triggering a FP. My single largest frustration with snort (beyond the fact that i absolutely hate its limited ability to detect "proper attacks") is that you are effectively looking at one packet at a time. You do not have the ability to create per tcp stream variables that would allow you to compare against packets furthur down the stream.

-- MattJonkman - 17 Oct 2008

Topic revision: r1 - 2008-10-17 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats