[Snort-sigs] Traffic parsing order

Cluett, Russell russell.cluett at ...2654...
Wed Jul 21 04:50:01 EDT 2004


I'm trying to figure out how to reduce load and am wondering about
something. In the rule (below) traffic is parsed for a variety of things,
first being source & destination & port, then the filename and finally if it
is html or not. What I'm wondering is if the parsing order was changed to be
source & destination & port , then move content:"\<html\>"; to be *before*
filename, would it help speed up processing (assuming that not all port 25
traffic is going to be html)? Example below ...

#Submitted by Michael Sconzo
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Possible Bagle.AI Worm Outbound"; content:"filename=";
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|e
xe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\
MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/";
content:"\<html\>"; sid:2000561; rev:5;)

Change to:
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Possible Bagle.AI Worm Outbound"; content:"\<html\>"; content:"filename=";
pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|e
xe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\
MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/";
sid:2000561; rev:5;)

My logic being that before parsing for the filename it can dismiss anything
that is not html. Does that make sense?

Thanks,
Russ Cluett CISSP GCIH
Senior Information Security Analyst
Electronic Data Systems - EDS
AVIEN Founding Member




More information about the Snort-sigs mailing list