[Snort-sigs] fast_pattern rules option

Matt Olney molney at ...435...
Thu Jul 9 08:48:49 EDT 2009


Not sure I understand  your question, but:

The fast_pattern modifier is not required.  If you do not provide a
content match with the fast_pattern modifier, Snort will default to
the "first-longest" behavior, that is, it will select the longest
content match and place that match into the fast-pattern matcher.  If
there is a tie, and there are multiple content matches, it will choose
the first content match in the rule.

Note also that the fast pattern matcher has no concept of offsets.  It
simply looks for that pattern anywhere in the packet, and then if it
sees that, it passes the packet to the detection engine with
instructions to run the detection against the packet.  So if you had:

content:"GET "; depth:4; fast_pattern

Then a POST request that included "I don't get it" somewhere in the
packet would be processed by the rule engine because the fast pattern
matcher would trigger, because it does not handle depth, offset,
distance, within modifiers.  Of course, the detection engine would
drop it once it got to this rule option.

Hope somewhere in there I answered your questions,

Matt

On Thu, Jul 9, 2009 at 6:50 AM, Zultan<zultan at ...1298...> wrote:
> Saw Matt's post on the VRT blog about rule content matches, and using the fast_patten rule option.
>
> http://vrt-sourcefire.blogspot.com/2009/07/rule-performance-part-one-content.html
>
> The VRT blog requires a Google account to reply.  I don't have one, nor do I need or want one, so I'll post my question here.
>
> -------------
>
> What we're sure the first few bytes of data will be unique?  If they match, only then inspect the rest of the packet.
>
> For example, looking for "content:"|16 03|"; depth:2;" on port 443 to identify the initial SSL/TLS packets.
>
> Or similarly, "content:"GET "; depth:4;" on port 80 to only further inspect web-browser GET requests.
>
> Do we now need to add fast_pattern to get it to use these qualifiers first?
>
> Becoming:
>
> ...content:"|16 03|"; depth:2; fast_pattern;...
>
> or
>
> ...content:"GET "; depth:4; fast_pattern;...
>
> Z
>
>
>
>
>
> --
> Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a Free Account at www.mail.com
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list