[Snort-sigs] fast_pattern rules option

Joel Esler eslerj at ...2420...
Thu Jul 9 10:14:01 EDT 2009


Okay, that's a good point.  :)  So, change the 00 00 00 00's in my example
to 90 90 90 90.
J

On Thu, Jul 9, 2009 at 10:11 AM, Todd Wease <twease at ...435...> wrote:

> As a note, the pattern "|00 00 00 00 00 00 00 00 00 00 00|" will *not*
> be considered more unique than "esler".  Snort will trim off leading
> zeros in finding the "longest" pattern.  This was shown to increase
> performance.  So if you want to use a string with a bunch of leading
> zeros as the fast pattern you will need to add the fast_pattern modifier
> to it.
>
>
> Joel Esler wrote:
> > On Thu, Jul 9, 2009 at 9:50 AM, Zultan <zultan at ...1298...
> > <mailto:zultan at ...1298...>> wrote:
> >
> >
> >     > ----- Original Message -----
> >     > From: "Matt Olney" <molney at ...435...
> >     <mailto:molney at ...435...>>
> >     > To: Zultan <zultan at ...1298...
> >     <mailto:zultan at ...1298...>>
> >     > Cc: snort-sigs at lists.sourceforge.net
> >     <mailto:snort-sigs at lists.sourceforge.net>
> >     > Subject: Re: [Snort-sigs] fast_pattern rules option
> >     > Date: Thu, 9 Jul 2009 08:48:49 -0400
> >     >
> >     >
> >     > Not sure I understand  your question, but:
> >
> >
> >     OK here's a longer example...
> >
> >     Say I want to detect a unique HTTP User-Agent string.  (They can
> >     be way down inside the client's GET request.)
> >
> >     So to get snort to only examine client HTTP GET requests, instead
> >     of all client traffic, I usually write it as:
> >
> >     alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
> >     flow:established,to_server; content:"GET "; depth:4;
> >     content:"User-Agent\: long_spyware_user-agent_string"; sid:......;
> >     etc.)
> >
> >     But the way I'm reading the fast_pattern write-up on the VRT blog,
> >     I really should write it as this instead:
> >
> >     alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
> >     flow:established,to_server; content:"GET "; depth:4; fast_pattern;
> >     content:"User-Agent\: long_spyware_user-agent_string"; sid:......;
> >     etc.)
> >
> >     Because if I do my old way, by default it will first look for
> >     "User-Agent\: long_spyware_user-agent_string" (unless I use
> >     fast_pattern after content:"GET ").
> >
> >
> > In that example, I'd want to use the long spyware string as the fp
> > match.  It's more unique than the GET would be.  Uniqueness is what
> > counts.  Let's say you have a NON-unique string that is 20 bytes long.
> >  Say "|00 00 00 00 00...etc"
> >
> > Then, you have a shorter string, lets say, my last name "esler" which
> > is 5 characters, much shorter than the 20 byte string.  The 20 byte
> > string would be picked up "naturally" by Snort's FP matcher, however,
> > the "Esler" string is more unique, so I could specify the content
> > match for "Esler" to be forced into the fast_pattern matcher instead
> > of the 20 byte "|00 00 00 etc" string.
> >
> > In your example, I'd want to use the long_spyware string, as it is
> > more unique than a GET.  A GET will occur hundreds of thousands a
> > times a day.  The spyware string may only occur once.
> >
> > J
> >
> >
> >
> >
> > --
> > joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
> > ------------------------------------------------------------------------
> >
> >
> ------------------------------------------------------------------------------
> > Enter the BlackBerry Developer Challenge
> > This is your chance to win up to $100,000 in prizes! For a limited time,
> > vendors submitting new applications to BlackBerry App World(TM) will have
> > the opportunity to enter the BlackBerry Developer Challenge. See full
> prize
> > details at: http://p.sf.net/sfu/Challenge
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>


-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090709/743aa9bb/attachment.html>


More information about the Snort-sigs mailing list