[Snort-sigs] fast_pattern rules option

Joel Esler eslerj at ...2420...
Thu Jul 9 09:06:02 EDT 2009


Well a "GET" wouldn't be very unique, I know it was your example, but
probably a bad example.  I would say, the majority of the time you will not
need to specify which content match gets it. I think the post that Matt put
up was very explanitory and gave a great example about nulls.

I would probably say that 99.999% of the time, you won't need it, however,
it's there for your use, if so.
J

On Thu, Jul 9, 2009 at 6:50 AM, Zultan <zultan at ...1298...> wrote:

> Saw Matt's post on the VRT blog about rule content matches, and using the
> fast_patten rule option.
>
>
> http://vrt-sourcefire.blogspot.com/2009/07/rule-performance-part-one-content.html
>
> The VRT blog requires a Google account to reply.  I don't have one, nor do
> I need or want one, so I'll post my question here.
>
> -------------
>
> What we're sure the first few bytes of data will be unique?  If they match,
> only then inspect the rest of the packet.
>
> For example, looking for "content:"|16 03|"; depth:2;" on port 443 to
> identify the initial SSL/TLS packets.
>
> Or similarly, "content:"GET "; depth:4;" on port 80 to only further inspect
> web-browser GET requests.
>
> Do we now need to add fast_pattern to get it to use these qualifiers first?
>
> Becoming:
>
> ...content:"|16 03|"; depth:2; fast_pattern;...
>
> or
>
> ...content:"GET "; depth:4; fast_pattern;...
>
> Z
>
>
>
>
>
> --
> Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a Free Account at www.mail.com
>
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090709/325d744a/attachment.html>


More information about the Snort-sigs mailing list