[Snort-sigs] fast_pattern rules option

Matt Olney molney at ...435...
Thu Jul 9 10:04:33 EDT 2009


Or, to put is a different way:

Having the VERY (relative to the detection engine) quick fast pattern
matching engine shuffling through the packets looking for
"User-Agent|3a|long_spyware_user-agent_string", and then having the
relatively slower (but much more flexible) detection engine options
ensure that the "GET" is present within the first four bytes of the
packet and then reverifty the existence of the User-Agent string is
much faster than having the fast-pattern matcher pass every packet
with "GET" in it to the detection engine to check if it also has
User-Agent|3a|long_spyware_user-agent_string.

Matt

On Thu, Jul 9, 2009 at 9:00 AM, Joel Esler<eslerj at ...2420...> wrote:
> On Thu, Jul 9, 2009 at 9:50 AM, Zultan <zultan at ...1298...> wrote:
>>
>> > ----- Original Message -----
>> > From: "Matt Olney" <molney at ...435...>
>> > To: Zultan <zultan at ...1298...>
>> > Cc: snort-sigs at lists.sourceforge.net
>> > Subject: Re: [Snort-sigs] fast_pattern rules option
>> > Date: Thu, 9 Jul 2009 08:48:49 -0400
>> >
>> >
>> > Not sure I understand  your question, but:
>>
>>
>> OK here's a longer example...
>>
>> Say I want to detect a unique HTTP User-Agent string.  (They can be way
>> down inside the client's GET request.)
>>
>> So to get snort to only examine client HTTP GET requests, instead of all
>> client traffic, I usually write it as:
>>
>> alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
>> flow:established,to_server; content:"GET "; depth:4; content:"User-Agent\:
>> long_spyware_user-agent_string"; sid:......; etc.)
>>
>> But the way I'm reading the fast_pattern write-up on the VRT blog, I
>> really should write it as this instead:
>>
>> alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
>> flow:established,to_server; content:"GET "; depth:4; fast_pattern;
>> content:"User-Agent\: long_spyware_user-agent_string"; sid:......; etc.)
>>
>> Because if I do my old way, by default it will first look for
>> "User-Agent\: long_spyware_user-agent_string" (unless I use fast_pattern
>> after content:"GET ").
>
> In that example, I'd want to use the long spyware string as the fp match.
>  It's more unique than the GET would be.  Uniqueness is what counts.  Let's
> say you have a NON-unique string that is 20 bytes long.  Say "|00 00 00 00
> 00...etc"
> Then, you have a shorter string, lets say, my last name "esler" which is 5
> characters, much shorter than the 20 byte string.  The 20 byte string would
> be picked up "naturally" by Snort's FP matcher, however, the "Esler" string
> is more unique, so I could specify the content match for "Esler" to be
> forced into the fast_pattern matcher instead of the 20 byte "|00 00 00 etc"
> string.
> In your example, I'd want to use the long_spyware string, as it is more
> unique than a GET.  A GET will occur hundreds of thousands a times a day.
>  The spyware string may only occur once.
> J
>
>
>
> --
> joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
>




More information about the Snort-sigs mailing list