The meta.rules file, Support for snort's flow keyword, Handling segmentation evasion – Force10 Networks PSeries 100-00055-01 User Manual
Page 71
P-Series Installation and Operation Guide, version 2.3.1.2
71
You can inspect Signatures 4, 5, and 6, and verify that they trigger a match and place a packet in Match
Memory — thus alerting the host — if three consecutive packets are seen with size between 0 and 100. The
third packet references the previous two stored in Temporary Memory. Thus, once the third packet is
received, the three segments are presented to the host through the DPI network interface. Notice that the bit
pattern used in the two rules avoids collision with the previous rule if the flow hashing also happens to
collide.
The meta.rules File
The meta.rules file — located in the pnic-compiler/rules directory — specifies a number of stateful rules to
be used with standard Snort rules (which use the Flow keyword). In addition, these rules implement a
stateful mechanism to circumvent some common forms of TCP IDS evasion. The meta rules are given in
Support for Snort's flow Keyword
The two stateful rules in
initiate a new flow if a SYN or a SYN-ACK are seen. A Snort flow-
established keyword is translated to S:4 and S:2 for client-to-server and server-to-client flows,
respectively. These keywords are automatically inserted by the PNIC-Compiler when a flow-established
keyword is encountered during compilation. You can also insert the keywords directly into your rules.
Handling Segmentation Evasion
Tools like fragroute or Nessus are used to fragment the packet payload in several TCP segments in order to
evade packet-based signature systems. The stateful rules in
detect the arrival of packets exhibiting
an anomalous use of TCP segmentation.
Table 21 Flow Established Rules
alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;)
alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)