[Snort-devel] fast_pattern not always longest content string by default?

Joel Esler (jesler) jesler at ...3461...
Thu Oct 23 13:51:22 EDT 2014


Thanks Mike, we’ll open a doc bug for this.



Joel Esler
jesler at ...3461...



> On Oct 23, 2014, at 10:23 AM, Mike Cox <mike.cox52 at ...2499...> wrote:
> 
> Thanks for the replies.  I don't disagree with this behavior but I do think the Snort manual should make this clear because I've been using Snort for many years and this is the first I've heard of it.
> 
> -Mike Cox
> 
> On Wed, Oct 22, 2014 at 9:34 PM, Steve Sturges (ststurge) <ststurge at ...3408...61... <mailto:ststurge at ...3461...>> wrote:
> Legacy, kinda.  But more efficient performance wise.  :)
> 
> > On Oct 22, 2014, at 9:18 PM, "Joshua Kinard" <kumba at ...2185... <mailto:kumba at ...2185...>> wrote:
> >
> > I'll wager that this is a relic of Snort's early days as primarily an HTTP
> > traffic sniffer, before it became a more generic deep-packet inspection tool.
> >
> > Something like this should get a mention in the Snort manual, though there are
> > several places where it states that the longest content match is the default,
> > yet doesn't differentiate between a normal content match and a content match
> > modified by an HTTP keyword.  So, not a quick fix w/o refactoring the lingo in
> > a few spots.
> >
> > --J
> >
> >
> >> On 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote:
> >> Hi Mike,
> >>
> >> Sorry for this unfortunate news, but it looks like you will need tweak those
> >> sigs.  I can confirm that if a fast_pattern keyword is not specified for a
> >> given rule, the default fast pattern is the longest HTTP buffer content.
> >> If no HTTP buffer content is present, then the fast pattern is the longest
> >> content.
> >>
> >> Josh
> >>
> >>
> >> From: Mike Cox <mike.cox52 at ...2499... <mailto:mike.cox52 at ...2499...><mailto:mike.cox52 at ...2499... <mailto:mike.cox52 at ...2499...>>>
> >> Date: Wednesday, October 22, 2014 at 8:16 AM
> >> Subject: [Snort-devel] fast_pattern not always longest content string by default?
> >>
> >> Hi All,
> >>
> >> I was looking thru some of my sigs with 'debug-print-fast-pattern' turned on
> >> and noticed that the fast pattern string was not always the longest content
> >> match by default.  Specifically, it appears that content matches in (valid
> >> for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri, etc.)
> >> are taking priority.  For example, consider this sig:
> >>
> >> alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
> >> flow:established,to_server; content:"twitter.com <http://twitter.com/><http://twitter.com <http://twitter.com/>>";
> >> http_header; content:"hellow Twitter tweet"; sid:1234567;)
> >>
> >> The longest content match is "hellow Twitter tweet" but when I look at the
> >> fast pattern debug output, the fast pattern used is
> >> "twitter.com <http://twitter.com/><http://twitter.com <http://twitter.com/>>".
> >>
> >> Having the HTTP Inspect buffers take priority makes sense because they will
> >> be smaller than the entire packet and thus more efficient.  However, I do
> >> not see this behavior documented in the manual which says, "the default
> >> behavior of fast pattern determination is to use the longest content in the
> >> rule..."
> >>
> >> Can someone comment/confirm this?  It is looking like I may have to
> >> review/tweak a plethora of sigs.... :(
> >>
> >> Thanks!
> >>
> >> -Mike Cox
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net <mailto:Snort-devel at ...362....net>
> > https://lists.sourceforge.net/lists/listinfo/snort-devel <https://lists.sourceforge.net/lists/listinfo/snort-devel>
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net <mailto:Snort-devel at ...3134...et>
> https://lists.sourceforge.net/lists/listinfo/snort-devel <https://lists.sourceforge.net/lists/listinfo/snort-devel>
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141023/f10ad4f9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141023/f10ad4f9/attachment.bin>


More information about the Snort-devel mailing list