[Snort-users] many rules with good fast_pattern vs. single rule with pcre

Duane Howard duane.security at ...11827...
Mon Dec 29 15:43:14 EST 2014


I'm writing some rules, and I find myself asking a question that's probably
been answered, but my searching isn't turning up something obvious.

In looking at a set of malware samples the only consistent pattern that can
be used for all variants is a bunch of null bytes. This is a pretty poor
fast pattern, and this alone makes for a large number of FP's. Adding
another match to the rule can be done, but there are ~20 variants for the
next byte match, these are good fast_pattern matches from my basic testing.

My question, is whether it's better to have 20 rules with a good fast
pattern, or one rule with a mediocre fast pattern and a pcre covering the
20 variants?

This is another instance where I find myself wishing flowbits were taken
into consideration *before* entering full rule evaluation, etc.

./d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141229/9cca0817/attachment.html>


More information about the Snort-users mailing list