[Snort-sigs] fast_pattern rules option

Joel Esler eslerj at ...2420...
Thu Jul 9 10:00:14 EDT 2009


On Thu, Jul 9, 2009 at 9:50 AM, Zultan <zultan at ...1298...> wrote:

>
> > ----- Original Message -----
> > From: "Matt Olney" <molney at ...435...>
> > To: Zultan <zultan at ...1298...>
> > Cc: snort-sigs at lists.sourceforge.net
> > Subject: Re: [Snort-sigs] fast_pattern rules option
> > Date: Thu, 9 Jul 2009 08:48:49 -0400
> >
> >
> > Not sure I understand  your question, but:
>
>
> OK here's a longer example...
>
> Say I want to detect a unique HTTP User-Agent string.  (They can be way
> down inside the client's GET request.)
>
> So to get snort to only examine client HTTP GET requests, instead of all
> client traffic, I usually write it as:
>
> alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
> flow:established,to_server; content:"GET "; depth:4; content:"User-Agent\:
> long_spyware_user-agent_string"; sid:......; etc.)
>
> But the way I'm reading the fast_pattern write-up on the VRT blog, I really
> should write it as this instead:
>
> alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
> flow:established,to_server; content:"GET "; depth:4; fast_pattern;
> content:"User-Agent\: long_spyware_user-agent_string"; sid:......; etc.)
>
> Because if I do my old way, by default it will first look for "User-Agent\:
> long_spyware_user-agent_string" (unless I use fast_pattern after
> content:"GET ").
>

In that example, I'd want to use the long spyware string as the fp match.
 It's more unique than the GET would be.  Uniqueness is what counts.  Let's
say you have a NON-unique string that is 20 bytes long.  Say "|00 00 00 00
00...etc"

Then, you have a shorter string, lets say, my last name "esler" which is 5
characters, much shorter than the 20 byte string.  The 20 byte string would
be picked up "naturally" by Snort's FP matcher, however, the "Esler" string
is more unique, so I could specify the content match for "Esler" to be
forced into the fast_pattern matcher instead of the 20 byte "|00 00 00 etc"
string.

In your example, I'd want to use the long_spyware string, as it is more
unique than a GET.  A GET will occur hundreds of thousands a times a day.
 The spyware string may only occur once.

J




-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090709/5250f581/attachment.html>


More information about the Snort-sigs mailing list