[Snort-sigs] PCRE Performance

Jason Wallace jason.r.wallace at ...2420...
Mon Oct 10 15:52:49 EDT 2011


There is nothing wrong with using pcre. Just make sure you use the flow:
option, ensure that the rule also has a content: option, make the pcre as
inexpensive as possible, and, if possible, limit the pcre to a particular
buffer.

So if you were looking for internal clients making requests to external urls
that look like that, then something like this would be appropriate:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blah Blah Blah";
flow:from_client,established; content:"/testing"; nocase; http_uri;
pcre:"/testing[1,3]\.html/iU"; classtype:trojan-activity; sid:<xxx>; rev:1;
)

Flow restricts the rule to established sessions, using content: with
http_uri helps limit the number of packet the pcre will need to evaluate.
The "U" option on the pcre restricts it to checking the normalized URI
buffer.

Over all, I don't think that is a very expensive rule, even though it uses a
pcre. How expensive it _really_ is would be based on how often "/testing" is
found in normal traffic on your network.

Thx,
Wally

On Mon, Oct 10, 2011 at 3:25 PM, <vincent at ...3611...> wrote:

> I'm trying to match a specific URL that ends in 1, 2, or 3.  So, the
> following would all be successful matches:
>
> /testing1.html
> /testing2.html
> /testing3.html
>
> Thanks,
>
> Vincent
>
>
>
> On Mon, 10/10/2011 12:19 PM, Jamie Riden <jamie.riden at ...2420...> wrote:
>
> If it was avoid at *all* costs, they wouldn't have implemented it :)
>
> Advice in the snort manual is to have your first match not be a PCRE
> though - more optimisation details available in the snort docs.
>
> What are you trying to match anyway?
>
> cheers,
> Jamie
>
> On 10 October 2011 14:10, <vincent at ...3611...> wrote:
> > Hello all,
> >
> > I wish to create a Snort signature to match a particular URI sequence.
> But,
> > the latter part of the URI can vary.  I have been told by others that the
> > use of PCRE in Snort rules should be avoided at all costs due to the
> > performance penalties of its use.  Is this true?  If so, is it possible
> to
> > logically "OR" the content keyword to look for 1 of many possible, valid,
> > URI sequences?
> >
> > Thanks!
> >
> > Vincent
> >
> >
> ------------------------------------------------------------------------------
> > All the data continuously generated in your IT infrastructure contains a
> > definitive record of customers, application performance, security
> > threats, fraudulent activity and more. Splunk takes this data and makes
> > sense of it. Business sense. IT sense. Common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy1
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net <%20Snort-sigs at lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
>
>
> --
> Jamie Riden / jamie at ...3509... <%20jamie at ...3509...> /jamie.riden at ...2420...<%20jamie.riden at ...2420...>
> http://uk.linkedin.com/in/jamieriden
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111010/0bd13ac2/attachment.html>


More information about the Snort-sigs mailing list