[Snort-sigs] fast_pattern rules option

Zultan zultan at ...1298...
Thu Jul 9 09:50:36 EDT 2009


> ----- Original Message -----
> From: "Matt Olney" <molney at ...435...>
> To: Zultan <zultan at ...1298...>
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] fast_pattern rules option
> Date: Thu, 9 Jul 2009 08:48:49 -0400
> 
> 
> Not sure I understand  your question, but:


OK here's a longer example...

Say I want to detect a unique HTTP User-Agent string.  (They can be way down inside the client's GET request.)

So to get snort to only examine client HTTP GET requests, instead of all client traffic, I usually write it as:

alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:".........."; flow:established,to_server; content:"GET "; depth:4; content:"User-Agent\: long_spyware_user-agent_string"; sid:......; etc.)

But the way I'm reading the fast_pattern write-up on the VRT blog, I really should write it as this instead:

alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:".........."; flow:established,to_server; content:"GET "; depth:4; fast_pattern; content:"User-Agent\: long_spyware_user-agent_string"; sid:......; etc.)

Because if I do my old way, by default it will first look for "User-Agent\: long_spyware_user-agent_string" (unless I use fast_pattern after content:"GET ").

Z



-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com





More information about the Snort-sigs mailing list