[Snort-users] many rules with good fast_pattern vs. single rule with pcre
duane.security at ...11827...
Mon Dec 29 15:43:14 EST 2014
I'm writing some rules, and I find myself asking a question that's probably
been answered, but my searching isn't turning up something obvious.
In looking at a set of malware samples the only consistent pattern that can
be used for all variants is a bunch of null bytes. This is a pretty poor
fast pattern, and this alone makes for a large number of FP's. Adding
another match to the rule can be done, but there are ~20 variants for the
next byte match, these are good fast_pattern matches from my basic testing.
My question, is whether it's better to have 20 rules with a good fast
pattern, or one rule with a mediocre fast pattern and a pcre covering the
This is another instance where I find myself wishing flowbits were taken
into consideration *before* entering full rule evaluation, etc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users