[Snort-sigs] fast_pattern rules option

Zultan zultan at ...1298...
Thu Jul 9 06:50:30 EDT 2009


Saw Matt's post on the VRT blog about rule content matches, and using the fast_patten rule option.

http://vrt-sourcefire.blogspot.com/2009/07/rule-performance-part-one-content.html

The VRT blog requires a Google account to reply.  I don't have one, nor do I need or want one, so I'll post my question here.

-------------

What we're sure the first few bytes of data will be unique?  If they match, only then inspect the rest of the packet.

For example, looking for "content:"|16 03|"; depth:2;" on port 443 to identify the initial SSL/TLS packets.

Or similarly, "content:"GET "; depth:4;" on port 80 to only further inspect web-browser GET requests.

Do we now need to add fast_pattern to get it to use these qualifiers first?

Becoming:

...content:"|16 03|"; depth:2; fast_pattern;...

or

...content:"GET "; depth:4; fast_pattern;...

Z





-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com





More information about the Snort-sigs mailing list