[Snort-sigs] Sig help (Tumblr redirect)

Will Metcalf william.metcalf at ...2420...
Tue Jul 3 18:11:37 EDT 2012


If there are no relative matches/modifiers, the pattern does not get
truncated, and the pattern has nocase, why is "only" not automatically
applied to the pattern?  What is the point of snort ever checking the
pattern twice under these conditions?  Am I missing something there?

Regards,

Will

On Fri, Jun 29, 2012 at 12:01 PM, Patrick Mullen <pmullen at ...435...> wrote:
> James,
>
> While it wouldn't be comprehensive coverage, I don't see a reason why
> your rule wouldn't be a good way to catch a bunch of these spam
> messages if it's a common theme.
>
> Since you asked, there are two things I would do to improve the rule.
> One is a performance improvement, the other is a readability
> improvement.
>
> The readability improvement is that your content match is all ascii
> data so it's much easier to see what's going on if you use the actual
> ascii rather than the hex code in your rule.  It gets loaded the same
> way into the rule engine so there is no performance difference for
> using either method.
>
> content:"='://e'|3b|"  (Note I did still have to convert the semicolon
> to make the rules parser's life easier)
>
> The performance change is a huge boost by using fast_pattern:only on
> the content match.  Doing so implies nocase but here it doesn't matter
> and you actually specify it in your rule.  What this directive does is
> put the content match into the fast pattern matcher but removes it
> from the list of checks once evaluating the rule itself, effectively
> making it so the content match is only checked once.  Note you can
> only do fast_pattern:only if case sensitivity is not important and the
> match is location independent meaning it is not relative to anything
> and nothing is relative to it.
>
> content:"='://e'|3b|"; fast_pattern:only;
>
> The resulting rule is the following --
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Tumblr spam redirect"; flow:from_server; file_data;
> content:"='://e'|3b|"; fast_pattern:only; metadata:policy security-ips
> drop, service http; classtype:bad-unknown; sid:10000014; rev:1;)
>
> Hope this helps!
>
>
> Thanks,
>
> ~Patrick
>
> --
> Patrick Mullen
> Research Manager
> Sourcefire VRT
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list