[Snort-sigs] [Emerging-Sigs] No real performance penalty?

Joel Esler jesler at ...435...
Wed Jan 18 10:04:00 EST 2012


On Jan 18, 2012, at 9:30 AM, elof at ...1288... wrote:

> Same question, different scenario:
> 
> If I have a rule that look for the evil pattern 'foobar' in all HTTP traffic like this:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (...; flow:established,to_server; content:"foobar"; depth:300; nocase; fast_pattern; ...)
> 
> My thoughts goes like this:
> I want to detect 'foobar' in all web-traffic from a client to a server.
> 
> I don't want to optimize the rule using 'http_uri' or simillar keywords, I want to look for 'foobar' anywhere in the packet.
> 
> I add "depth:300;" anyhow, as an optimization so snort won't have to look through the *entire* packet.
> 
> Now, correct me if I'm wrong, but I think that the Fast Pattern Matcher look for my fast pattern 'foobar' throughout the *entire* packet *anyhow* (and if 'foobar' is found, the rule is marked for full evaluation).
> 
The fast pattern matcher will pre-qualify the rule to run.  The rule will run after the FP.

> When evaluated, snort will look for 'foobar' again, but this time only in the first 300 bytes.
> 
In this case, yes.

> So, I added the "depth:300;" just for optimization, but in reality I would
> really prefer to have an alert if 'foobar' exist anywhere, even at the end of a 1500 byte packet...

Right.  It's half speed optimization to make the rule bail faster, and half false positive reduction.  Rules are about accuracy.  Not shots in the dark.  That's why the VRT verifies each rule we write and why FP reporting is so important.  We can't replicate every scenario or network.  We have some fantastic people that write in with FP reports in order for us to optimize our rules.

> Will there be any performance impact if I remove the depth keyword and replace it (and the "nocase") with "fast_pattern:only;"? Like this:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (...; flow:established,to_server; content:"foobar"; fast_pattern:only; ...)
> 
> I believe that this new rule work like this:
> The Fast Pattern Matcher look for 'foobar' throughout the entire packet (case insensitive), and that's pretty much it. The rule is marked for evaluation but the only thest there is the flow check.

And IPs and PORTS, and direction.  But otherwise, yes. You are correct.

> So in reality, the second rule syntax, which lack the depth constraint, is actually the more optimized one?

In terms of speed yes, but, you are talking about hundreds of a millisecond of a difference in this case.  It's more about accuracy and false positive reduction in this point.  Doing FP:only on one rule isn't going to speed things up immensely, but if you do it to a bunch of rules, (fully understanding what you are doing) it'll help a bit.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120118/f9042564/attachment.html>


More information about the Snort-sigs mailing list