[Snort-sigs] fast_pattern rules option

Matt Olney molney at ...435...
Thu Jul 9 10:51:19 EDT 2009


SWEET!!!! I learned something!

Thanks Todd!

Matt

On Thu, Jul 9, 2009 at 9:14 AM, Joel Esler<eslerj at ...2420...> wrote:
> Okay, that's a good point.  :)  So, change the 00 00 00 00's in my example
> to 90 90 90 90.
> J
>
> On Thu, Jul 9, 2009 at 10:11 AM, Todd Wease <twease at ...435...> wrote:
>>
>> As a note, the pattern "|00 00 00 00 00 00 00 00 00 00 00|" will *not*
>> be considered more unique than "esler".  Snort will trim off leading
>> zeros in finding the "longest" pattern.  This was shown to increase
>> performance.  So if you want to use a string with a bunch of leading
>> zeros as the fast pattern you will need to add the fast_pattern modifier
>> to it.
>>
>>
>> Joel Esler wrote:
>> > On Thu, Jul 9, 2009 at 9:50 AM, Zultan <zultan at ...1298...
>> > <mailto:zultan at ...1298...>> wrote:
>> >
>> >
>> >     > ----- Original Message -----
>> >     > From: "Matt Olney" <molney at ...435...
>> >     <mailto:molney at ...435...>>
>> >     > To: Zultan <zultan at ...1298...
>> >     <mailto:zultan at ...1298...>>
>> >     > Cc: snort-sigs at lists.sourceforge.net
>> >     <mailto:snort-sigs at lists.sourceforge.net>
>> >     > Subject: Re: [Snort-sigs] fast_pattern rules option
>> >     > Date: Thu, 9 Jul 2009 08:48:49 -0400
>> >     >
>> >     >
>> >     > Not sure I understand  your question, but:
>> >
>> >
>> >     OK here's a longer example...
>> >
>> >     Say I want to detect a unique HTTP User-Agent string.  (They can
>> >     be way down inside the client's GET request.)
>> >
>> >     So to get snort to only examine client HTTP GET requests, instead
>> >     of all client traffic, I usually write it as:
>> >
>> >     alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
>> >     flow:established,to_server; content:"GET "; depth:4;
>> >     content:"User-Agent\: long_spyware_user-agent_string"; sid:......;
>> >     etc.)
>> >
>> >     But the way I'm reading the fast_pattern write-up on the VRT blog,
>> >     I really should write it as this instead:
>> >
>> >     alert tcp $HOME_NET any -> #EXTERNAL_NET 80 (msg:"..........";
>> >     flow:established,to_server; content:"GET "; depth:4; fast_pattern;
>> >     content:"User-Agent\: long_spyware_user-agent_string"; sid:......;
>> >     etc.)
>> >
>> >     Because if I do my old way, by default it will first look for
>> >     "User-Agent\: long_spyware_user-agent_string" (unless I use
>> >     fast_pattern after content:"GET ").
>> >
>> >
>> > In that example, I'd want to use the long spyware string as the fp
>> > match.  It's more unique than the GET would be.  Uniqueness is what
>> > counts.  Let's say you have a NON-unique string that is 20 bytes long.
>> >  Say "|00 00 00 00 00...etc"
>> >
>> > Then, you have a shorter string, lets say, my last name "esler" which
>> > is 5 characters, much shorter than the 20 byte string.  The 20 byte
>> > string would be picked up "naturally" by Snort's FP matcher, however,
>> > the "Esler" string is more unique, so I could specify the content
>> > match for "Esler" to be forced into the fast_pattern matcher instead
>> > of the 20 byte "|00 00 00 etc" string.
>> >
>> > In your example, I'd want to use the long_spyware string, as it is
>> > more unique than a GET.  A GET will occur hundreds of thousands a
>> > times a day.  The spyware string may only occur once.
>> >
>> > J
>> >
>> >
>> >
>> >
>> > --
>> > joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
>> > ------------------------------------------------------------------------
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Enter the BlackBerry Developer Challenge
>> > This is your chance to win up to $100,000 in prizes! For a limited time,
>> > vendors submitting new applications to BlackBerry App World(TM) will
>> > have
>> > the opportunity to enter the BlackBerry Developer Challenge. See full
>> > prize
>> > details at: http://p.sf.net/sfu/Challenge
>> > ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >
>>
>
>
>
> --
> joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
>




More information about the Snort-sigs mailing list