[Snort-sigs] Solaris lpd exploit sig

Chris Green cmg at ...435...
Fri Jun 28 14:02:01 EDT 2002

Matt Kettler <mkettler at ...189...> writes:

> I'll certainly acknowledge that you're more of a snort expert, but as
> far as I know a search pattern starting with a long repeated sequence
> is pretty much the most sub-optimal content rule you can make for the
> match case, since it guarantees that on a real match you're going to
> have to make n single character shifts, where n is the number of /'s
> in the pattern. Or is my understanding of B-M a bit muddled?

Nope. You're right on in the match case but most of the patterns are
low hit % (or hopefully)..

>> You are right that a long pattern helps a lot in the non-match case,
> and given that this is a not-very-common attack, the extra /'s
> probably do more good than harm in general. Fair enough.

Yeah the shifting phase is much more important from my understanding.
The shifting phase is the key to most of the pattern matching
stuff and the longer pattern really helps to discriminate out a lot of
the stuff before you get to the "hey I just did this" phase :)

> String matching aside I do still think the exclusion of port 515 was
> probably an accidental oversight in the original rule, and significant
> performance gains would be realized by adding it.

Yes, that's a big difference.  I wasn't talking about that part as
all as that's all a good rule.

I do appreciate the feedback since that was some of the most dense
that I've seen here :-)
Chris Green <cmg at ...435...>
You now have 14 minutes to reach minimum safe distance.

More information about the Snort-sigs mailing list