From: Tom Peters (thopeter) Date: Tue, 18 Dec 2018 19:53:38 +0000 (-0500) Subject: Merge pull request #1467 in SNORT/snort3 from ~MIREDDEN/snort3:snort2lua_dev_notes2... X-Git-Tag: 3.0.0-251~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdf4c2135eeb7c129e3a16b670eaebd1cd2132e1;p=thirdparty%2Fsnort3.git Merge pull request #1467 in SNORT/snort3 from ~MIREDDEN/snort3:snort2lua_dev_notes2 to master Squashed commit of the following: commit 93214fa1456a19a10e06747b67a0fbb37a1988d9 Author: Mike Redden Date: Fri Dec 14 16:05:44 2018 -0500 snort2lua: Create dev_notes.txt for sticky buffers --- diff --git a/tools/snort2lua/rule_states/dev_notes.txt b/tools/snort2lua/rule_states/dev_notes.txt new file mode 100644 index 000000000..5865d274c --- /dev/null +++ b/tools/snort2lua/rule_states/dev_notes.txt @@ -0,0 +1,43 @@ +This directory contains rule conversion classes to convert snort2 rules +to snort3 rules. + +Sticky buffer rule option conversion +------------------------------------ +Some rule options are used to set the cursor used to walk the packet +payload in rule processing to the beginning of certain buffers containing +packet data. A rule option that sets the cursor to the beginning of a +buffer is considered "sticky" if the cursor remains set to an absolute +or relative position in the buffer for subsequent rule option processing +until explicitly reset by other rule options. + +Snort2 implemented the following list of "sticky" buffer rule options: + +* pkt_data +* file_data +* dce_stub_fdata +* dnp3_data +* modbus_data +* sip_header +* sip_body + +The following list of formerly "non-sticky" buffer rule options in Snort2 +are implemented in Snort3 as "sticky" buffer rule options: + +* http_client_body +* http_cookie +* http_method +* http_raw_cookie +* http_raw_header +* http_raw_uri +* http_stat_code +* http_stat_msg +* http_uri + +Snort2lua must convert these formerly "non-sticky" buffer rule options to +"sticky" buffer rule options. This is accomplished by parsing the rule +options in the Snort2 file looking for buffer rule options that need to +be converted. When a buffer rule option needing conversion is found, it +is moved to precede the rule option that formerly preceded it, or deleted +to remove it as a duplicate if the "sticky" buffer value has already been +set to the same value. +