[Snort-sigs] fast_pattern rules option

Todd Wease twease at ...435...
Thu Jul 9 10:11:59 EDT 2009


As a note, the pattern "|00 00 00 00 00 00 00 00 00 00 00|" will *not*
be considered more unique than "esler".  Snort will trim off leading
zeros in finding the "longest" pattern.  This was shown to increase
performance.  So if you want to use a string with a bunch of leading
zeros as the fast pattern you will need to add the fast_pattern modifier
to it.


Joel Esler wrote:
> On Thu, Jul 9, 2009 at 9:50 AM, Zultan <zultan at ...1298...
> <mailto:zultan at ...1298...>> wrote:
>
>
>     > ----- Original Message -----
>     > From: "Matt Olney" <molney at ...435...
>     <mailto:molney at ...435...>>
>     > To: Zultan <zultan at ...1298...
>     <mailto:zultan at ...1298...>>
>     > Cc: snort-sigs at lists.sourceforge.net
>     <mailto:snort-sigs at lists.sourceforge.net>
>     > Subject: Re: [Snort-sigs] fast_pattern rules option
>     > Date: Thu, 9 Jul 2009 08:48:49 -0400
>     >
>     >
>     > Not sure I understand  your question, but:
>
>
>     OK here's a longer example...
>
>     Say I want to detect a unique HTTP User-Agent string.  (They can
>     be way down inside the client's GET request.)
>
>     So to get snort to only examine client HTTP GET requests, instead
>     of all client traffic, I usually write it as:
>
>     alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
>     flow:established,to_server; content:"GET "; depth:4;
>     content:"User-Agent\: long_spyware_user-agent_string"; sid:......;
>     etc.)
>
>     But the way I'm reading the fast_pattern write-up on the VRT blog,
>     I really should write it as this instead:
>
>     alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
>     flow:established,to_server; content:"GET "; depth:4; fast_pattern;
>     content:"User-Agent\: long_spyware_user-agent_string"; sid:......;
>     etc.)
>
>     Because if I do my old way, by default it will first look for
>     "User-Agent\: long_spyware_user-agent_string" (unless I use
>     fast_pattern after content:"GET ").
>
>
> In that example, I'd want to use the long spyware string as the fp
> match.  It's more unique than the GET would be.  Uniqueness is what
> counts.  Let's say you have a NON-unique string that is 20 bytes long.
>  Say "|00 00 00 00 00...etc"
>
> Then, you have a shorter string, lets say, my last name "esler" which
> is 5 characters, much shorter than the 20 byte string.  The 20 byte
> string would be picked up "naturally" by Snort's FP matcher, however,
> the "Esler" string is more unique, so I could specify the content
> match for "Esler" to be forced into the fast_pattern matcher instead
> of the 20 byte "|00 00 00 etc" string.
>
> In your example, I'd want to use the long_spyware string, as it is
> more unique than a GET.  A GET will occur hundreds of thousands a
> times a day.  The spyware string may only occur once.
>
> J
>  
>
>
>
> -- 
> joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge  
> This is your chance to win up to $100,000 in prizes! For a limited time, 
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize  
> details at: http://p.sf.net/sfu/Challenge
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   





More information about the Snort-sigs mailing list