[Snort-sigs] Solaris lpd exploit sig

Matt Kettler mkettler at ...189...
Fri Jun 28 13:44:02 EDT 2002


I'll certainly acknowledge that you're more of a snort expert, but as far 
as I know a search pattern starting with a long repeated sequence is pretty 
much the most sub-optimal content rule you can make for the match case, 
since it guarantees that on a real match you're going to have to make n 
single character shifts, where n is the number of /'s in the pattern. Or is 
my understanding of B-M a bit muddled?

You are right that a long pattern helps a lot in the non-match case, and 
given that this is a not-very-common attack, the extra /'s probably do more 
good than harm in general. Fair enough.


String matching aside I do still think the exclusion of port 515 was 
probably an accidental oversight in the original rule, and significant 
performance gains would be realized by adding it.



At 03:43 PM 6/28/2002 -0400, Chris Green wrote:
>The longer strings are better than the shorter patterns :-) Don't
>worry much about implementation level details like that when desiging
>patterns.  Worry more about making correct patterns when writing
>signatures.





More information about the Snort-sigs mailing list