[Snort-sigs] PCRE Performance

vincent at ...3611... vincent at ...3611...
Mon Oct 10 15:56:36 EDT 2011


Wally,

Okay--this makes perfect sense.  I didn't realize it would inspect the content parameter before invoking the pcre check.

Thanks!

Vincent

On Mon, 10/10/2011 03:52 PM, Jason Wallace <jason.r.wallace at ...2420...> wrote:
> There is nothing wrong with using pcre. Just make sure you use the flow: option, ensure that the rule also has a content: option, make the pcre as inexpensive as possible, and, if possible, limit the pcre to a particular buffer.
> 

> So if you were looking for internal clients making requests to external urls that look like that, then something like this would be appropriate:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blah Blah Blah"; 
flow:from_client,established; content:"/testing"; 
nocase; http_uri; pcre:"/testing[1,3]\.html/iU"; classtype:trojan-activity;
 sid:<xxx>; rev:1; )
> 
> Flow restricts the rule to established sessions, using content: with http_uri helps limit the number of packet the pcre will need to evaluate. The "U" option on the pcre restricts it to checking the normalized URI buffer.
> 

> Over all, I don't think that is a very expensive rule, even though it uses a pcre. How expensive it _really_ is would be based on how often "/testing" is found in normal traffic on your network.
> 
> Thx,
> 
Wally
> 
> On Mon, Oct 10, 2011 at 3:25 PM,  <vincent at ...3611...> wrote:
> > 
I'm trying to match a specific URL that ends in 1, 2, or 3.  So, the following would all be successful matches:
> 
> /testing1.html
> /testing2.html
> 
/testing3.html
> 
> Thanks,
> 
> Vincent
> 
> 
> On Mon, 10/10/2011 12:19 PM, Jamie Riden <jamie.riden at ...2420...> wrote:
> 
> If it was avoid at *all* costs, they wouldn't have implemented it :)
> 
> Advice in the snort manual is to have your first match not be a PCRE
> 
though - more optimisation details available in the snort docs.
> 
> What are you trying to match anyway?
> 
> cheers,
>  Jamie
> 
> On 10 October 2011 14:10,  <vincent at ...3611...> wrote:
> 
> Hello all,
> >
> > I wish to create a Snort signature to match a particular URI sequence.  But,
> > the latter part of the URI can vary.  I have been told by others that the
> > use of PCRE in Snort rules should be avoided at all costs due to the
> 
> performance penalties of its use.  Is this true?  If so, is it possible to
> > logically "OR" the content keyword to look for 1 of many possible, valid,
> > URI sequences?
> >
> > Thanks!
> 
>
> > Vincent
> >
> > ------------------------------------------------------------------------------
> > All the data continuously generated in your IT infrastructure contains a
> > definitive record of customers, application performance, security
> 
> threats, fraudulent activity and more. Splunk takes this data and makes
> > sense of it. Business sense. IT sense. Common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy1
> 
> _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> 
>
> 
> 
> 
> --
> Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
> 
http://uk.linkedin.com/in/jamieriden
> 
------------------------------------------------------------------------------


All the data continuously generated in your IT infrastructure contains a

definitive record of customers, application performance, security

threats, fraudulent activity and more. Splunk takes this data and makes

sense of it. Business sense. IT sense. Common sense.

http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________

Snort-sigs mailing list

Snort-sigs at lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111010/739219ff/attachment.html>


More information about the Snort-sigs mailing list