snort-devel February 2014 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Snort 2.9.7.0 Alpha is now availa

Re: [Snort-devel] Snort 2.9.7.0 Alpha is now available

From: Joshua Kinard <kumba_at_nospam>
Date: Wed Feb 26 2014 - 23:28:51 GMT
To: snort-devel@lists.sourceforge.net

On 02/25/2014 10:05 AM, Snort Releases wrote:
> Snort 2.9.7 Alpha is now available on snort.org, at
> http://www.snort.org/snort-downloads/ in the Development section.
>
[snip]
> * A new protected_content rule option that is used to match against a
> content that is hashed. It can be used to obscure the full context of
> the rule from the administrator.

This is kinda neat, but, wouldn't it make more sense to call it
"hashed_content" instead of "protected_content"? After all, MD5 can be
collided, so there's potential for the indicator string to be recoverable,
in very limited circumstances. E.g., I took both the MD5 and SHA256
examples from the manual and plugged them into crackstation.net, and got
back "HTTP" for both. That won't work in all cases, but it demonstrates
that a basic, unsalted hash isn't a whole lot of "protection".

Also, any alerts generated by a rule using protected_content would contain
the original indicator in the captured packet, and one could simply read the
rule text (offset, and the new length parameter) to locate it in that packet.

Last, how does protected_content work with the fast-pattern matcher? I see
that you cannot use the 'fast_pattern' keyword with it, so what string is it
inserting? Is it using the hash and comparing that against a hash of the
specified data pulled from the packet's payload?

-- Joshua Kinard Gentoo/MIPS kumba@gentoo.org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!