[Snort-sigs] fast_pattern rules option

Todd Wease twease at ...435...
Thu Jul 9 08:12:27 EDT 2009


You only need to add the fast_pattern modifier if you have more than one 
content in a rule.  Snort, in general, will use the longest content in a 
rule to put into the fast pattern matcher.  That content, however, is 
not always the most unique of the contents specified in the rule, so if 
you know that the shorter content is more unique than the longer 
content, add the fast_pattern modifier to the shorter content so it will 
be used in the fast pattern matcher instead of the longer content.


On 07/09/2009 06:50 AM, Zultan wrote:
> Saw Matt's post on the VRT blog about rule content matches, and using the fast_patten rule option.
>
> http://vrt-sourcefire.blogspot.com/2009/07/rule-performance-part-one-content.html
>
> The VRT blog requires a Google account to reply.  I don't have one, nor do I need or want one, so I'll post my question here.
>
> -------------
>
> What we're sure the first few bytes of data will be unique?  If they match, only then inspect the rest of the packet.
>
> For example, looking for "content:"|16 03|"; depth:2;" on port 443 to identify the initial SSL/TLS packets.
>
> Or similarly, "content:"GET "; depth:4;" on port 80 to only further inspect web-browser GET requests.
>
> Do we now need to add fast_pattern to get it to use these qualifiers first?
>
> Becoming:
>
> ...content:"|16 03|"; depth:2; fast_pattern;...
>
> or
>
> ...content:"GET "; depth:4; fast_pattern;...
>
> Z
>
>
>
>
>
>    





More information about the Snort-sigs mailing list