[Snort-sigs] Traffic parsing order

Matthew Watchinski mwatchinski at ...435...
Sat Jul 24 21:56:06 EDT 2004


That will buy you a little bit of speed, as the fast pattern matcher 
will be called before pcre.  I would also suggest adding the flow 
keyword as that will buy you a bit of speed also.

Cheers,
-matt

Cluett, Russell wrote:

>I'm trying to figure out how to reduce load and am wondering about
>something. In the rule (below) traffic is parsed for a variety of things,
>first being source & destination & port, then the filename and finally if it
>is html or not. What I'm wondering is if the parsing order was changed to be
>source & destination & port , then move content:"\<html\>"; to be *before*
>filename, would it help speed up processing (assuming that not all port 25
>traffic is going to be html)? Example below ...
>
>#Submitted by Michael Sconzo
>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
>Possible Bagle.AI Worm Outbound"; content:"filename=";
>pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|e
>xe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\
>MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/";
>content:"\<html\>"; sid:2000561; rev:5;)
>
>Change to:
>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
>Possible Bagle.AI Worm Outbound"; content:"\<html\>"; content:"filename=";
>pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|e
>xe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\
>MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/";
>sid:2000561; rev:5;)
>
>My logic being that before parsing for the filename it can dismiss anything
>that is not html. Does that make sense?
>
>Thanks,
>Russ Cluett CISSP GCIH
>Senior Information Security Analyst
>Electronic Data Systems - EDS
>AVIEN Founding Member
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  
>





More information about the Snort-sigs mailing list