Search code examples
regextcppattern-matchingsnortintrusion-detection

Can pattern matching go across TCP packets?


I am new to Intrusion Detection system. From what I know, it seems the pattern matching (e.g., PCRE in Snort) only search matches within a packet.

Can pattern matching go across packets?

In practice, do people care about cross-packets patterns?


Solution

  • If you are doing stream reassembly (which should be enabled by default in the standard snort.conf) then yes. This is called the pseudo packet (or reassembled packet) which snort builds from multiple packets and reassembles. You can read about this functionality and configuration for it here. This is probably the most important part of snort (and most expensive), without stream reassembly many many exploits would be missed. Without reassembly snort would only be able to inspect the raw packets. For example:

    TCP Packet contains 2000 bytes of data, the MTU on the network is 1500, so this packet must be chopped up into separate packets to be sent. Say 1400 bytes are sent in packet 1 and the other 600 bytes in packet 2. If there is an exploit within this packet and the content that snort is looking for is contained within bytes 1360-1500 then snort would miss the exploit and would not alert. With stream reassembly snort will reassemble the packet:

    Say you have a snort rule looking for the content "THIS IS AN EXPLOIT".

    Raw packet 1: ....data...THIS IS AN
    Raw packet 2: EXPLOIT....data...

    Without stream reassembly snort would miss this exploit. With stream reassembly snort will rebuild the pseudo packet and it will run the rule content against that so it will see:

    Pseudo packet: ...data...THIS IS AN EXPLOIT...data...

    And the rule will match.