Permalink
Browse files

Bug fix for fast_pattern interpretation for relative matches

This change ensures that fwsnort does not attempt to re-order pattern matches
for patterns that have a relative match requirement.  For non-relative matches
fwsnort re-orders pattern matches based on the pattern length, reasoning that
the longest pattern should be processed first for better performance.  The
usage of the fast_pattern keyword give the user explicit control over this.

Here is a Snort rule that is now properly handled by fwsnort:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; sid:2010664; rev:8;)

Before this change, fwsnort translated this rule as:

$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m string --hex-string "%FDF|2d|" --algo bm --to 364 -m comment --comment "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010664 ESTAB "

Note that in the above rule, the "/F(JavaScript|3a|" pattern was switched to
be evaluated first even though it is a relative match to the previous pattern
in the original Snort rule.  After this change, fwsnort translates this rule
as:

$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --hex-string "%FDF|2d|" --algo bm --to 364 -m string --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m comment --comment "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010664 ESTAB "
  • Loading branch information...
1 parent d90f902 commit 19625a6eb7e40a375be733b0a74b550292f4dcf8 @mrash committed Sep 2, 2011
Showing with 16 additions and 3 deletions.
  1. +16 −3 fwsnort
View
@@ -2041,9 +2041,22 @@ sub build_content_matches() {
### of signature matches on average)
my $max_len = 0;
my $max_len_index = 0;
- for (my $index=0; $index <= $#$patterns_ar; $index++) {
- if ($patterns_ar->[$index]->{'length'} > $max_len) {
- $max_len = $patterns_ar->[$index]->{'length'};
+ PATTERN: for (my $index=0; $index <= $#$patterns_ar; $index++) {
+ my $pat_ar = $patterns_ar->[$index];
+
+ if ($pat_ar->{'length'} > $max_len) {
+
+ ### make sure it is not a relative match
+ next PATTERN if defined $pat_ar->{'distance'};
+ next PATTERN if defined $pat_ar->{'within'};
+
+ if ($index < $#$patterns_ar) {
+ my $next_pat_ar = $patterns_ar->[$index+1];
+ next PATTERN if defined $next_pat_ar->{'distance'};
+ next PATTERN if defined $next_pat_ar->{'within'};
+ }
+
+ $max_len = $pat_ar->{'length'};
$max_len_index = $index;
}
}

0 comments on commit 19625a6

Please sign in to comment.