[Snort-sigs] fast_pattern rules option
zultan at ...1298...
Thu Jul 9 06:50:30 EDT 2009
Saw Matt's post on the VRT blog about rule content matches, and using the fast_patten rule option.
The VRT blog requires a Google account to reply. I don't have one, nor do I need or want one, so I'll post my question here.
What we're sure the first few bytes of data will be unique? If they match, only then inspect the rest of the packet.
For example, looking for "content:"|16 03|"; depth:2;" on port 443 to identify the initial SSL/TLS packets.
Or similarly, "content:"GET "; depth:4;" on port 80 to only further inspect web-browser GET requests.
Do we now need to add fast_pattern to get it to use these qualifiers first?
...content:"|16 03|"; depth:2; fast_pattern;...
...content:"GET "; depth:4; fast_pattern;...
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com
More information about the Snort-sigs