[Snort-sigs] pcre...what am I doing wrong?

김무성 kimms at ...3282...
Thu Apr 2 07:33:29 EDT 2009


Of course, 1 pcre rule's performance is good.
First of all, one line. Ha.
If you worry about your regex skills, you can train every day. More more more more create pcre rule.

You have to understand that why use pcre? Why use content?

Example.

1.
www.google.com
www.cnn.com
if you defend this DNS query, you create pcre rule

alert udp any any -> any 53 (msg:"harmful DNS query"; content:"|03|www|06|google|03|com|00|"; nocase;)
alert udp any any -> any 53 (msg:"harmful DNS query"; content:"|03|www|03|cnn|03|com|00|"; nocase;)
or
alert udp any any -> any 53 (msg:"harmful DNS query"; pcre:"/\x03www(\x06google|\x03cnn)\x03com\x00/i";)

what rule is good? 

2.
www.google.com
test.cnn.org
if you defend this DNS query, you create pcre rule

alert udp any any -> any 53 (msg:"harmful DNS query"; content:"|03|www|06|google|03|com|00|"; nocase;)
alert udp any any -> any 53 (msg:"harmful DNS query"; content:"|04|test|03|cnn|03|org|00|"; nocase;)
or
alert udp any any -> any 53 (msg:"harmful DNS query"; pcre:"/(\x03www\x06google\x03com\x00|\x04test\x03cnn\x03org\x00)/i";)

what rule is good?


Snort have many option for growing up performance.
Flow, flowbit, dsize, depth, offset... etc.... 


-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace at ...2420...] 
Sent: Wednesday, April 01, 2009 8:35 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] pcre...what am I doing wrong?

That was my original idea, however I'll be looking for 30+ domains.
Also these are DMZ systems that don't initiate a lot of connections so
there is very little outbound DNS request traffic. There will be a
content: part of the rule to reduce the pcre use.

I guess the question is, "Where is the performance break even point?".

30+ content: rules vs. 1 content: + pcre: rule.

Also, I so infrequently write rules using pcre that I was worried my
regex skills were getting a little rusty. This looked like a good one
to sharpen them up on. :)

Wally


2009/3/31 JJ Cummings <cummingsj at ...2420...>:
> Exactly, this is a MUCH better way of doing it!
>
> On Tue, Mar 31, 2009 at 6:53 PM, 김무성 <kimms at ...3282...> wrote:
>>
>> You must look packet of DNS query.
>> In DNS query
>> Query structure is no subdomain.domain.net
>> Is |09|subdomain|06|domain|03|net|00|
>>
>> You have to create content:"|09|subdomain|06|domain|03|net|00|";
>>
>> -----Original Message-----
>> From: Jason Wallace [mailto:jason.r.wallace at ...2420...]
>> Sent: Wednesday, April 01, 2009 4:59 AM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: [Snort-sigs] pcre...what am I doing wrong?
>>
>> I'm trying to write a rule using a pcre that looks for DNS requests to
>> a large list of domains. I know pcre is compiled in because I see this
>> during the ./configure
>>
>> checking pcre.h usability... yes
>> checking pcre.h presence... yes
>> checking for pcre.h... yes
>> checking for pcre_compile in -lpcre... yes
>> checking for libpcre version 6.0 or greater... yes
>>
>> Here is the simple beginning of the rule...
>>
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"My Message";
>> pcre:"/subdomain\.domain\.net/smi"; classtype:trojan-activity;
>> sid:500000001; rev:1;)
>>
>> This is just a simple example. There will be a large list of domains
>> similar to the large list of file extensions in the "VIRUS OUTBOUND
>> bad file attachment" sid:721 rule. The problem is the the pcre doesn't
>> seem to be working. Using \ to escape the . is correct right? Here are
>> some things I have tried...
>>
>> pcre:"/subdomain\.domain\.net/smi"; does NOT work
>> pcre:"/subdomain\\.domain\\.net/smi"; does NOT work
>> pcre:"/subdomain.domain.net/smi"; DOES work (but not exactly what I'm
>> looking for, because the . could be anything not just a .)
>> pcre:"/domain/smi"; DOES work
>>
>> This not working makes me a little nervous since there are a lot of
>> rules using \ to escape a . and now I'm wondering if any of them are
>> working...
>>
>> Why wouldn't \ work to escape a . ??
>>
>> Thx,
>> Wally
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> --
> JJ Cummings
> M: 303.881.5181
> jj.cummings at ...435...
>
>

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list