[Snort-users] many rules with good fast_pattern vs. single rule with pcre

Joel Esler (jesler) jesler at ...589...
Mon Dec 29 16:24:04 EST 2014


The answer is:

It depends.

How big are the packets?  
Is the pcre really simple, or it is it extremely complex?
What is the prequalifying content match?
Do you have a pcap?
If so, you can test this.


> On Dec 29, 2014, at 3:43 PM, Duane Howard <duane.security at ...11827...> wrote:
> 
> I'm writing some rules, and I find myself asking a question that's probably been answered, but my searching isn't turning up something obvious.
> 
> In looking at a set of malware samples the only consistent pattern that can be used for all variants is a bunch of null bytes. This is a pretty poor fast pattern, and this alone makes for a large number of FP's. Adding another match to the rule can be done, but there are ~20 variants for the next byte match, these are good fast_pattern matches from my basic testing.
> 
> My question, is whether it's better to have 20 rules with a good fast pattern, or one rule with a mediocre fast pattern and a pcre covering the 20 variants?
> 
> This is another instance where I find myself wishing flowbits were taken into consideration *before* entering full rule evaluation, etc.
> 
> ./d
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141229/29b82792/attachment.bin>


More information about the Snort-users mailing list