Re: PCRE Performance

[vincent () ragosta net]

Wally,

Okay--this makes perfect sense.  I didn't realize it would inspect the content parameter before invoking the pcre check.

Thanks!

Vincent

On Mon, 10/10/2011 03:52 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
> There is nothing wrong with using pcre. Just make sure you use the flow: option, ensure that the rule also has a 
> content: option, make the pcre as inexpensive as possible, and, if possible, limit the pcre to a particular buffer.

> So if you were looking for internal clients making requests to external urls that look like that, then something like 
> this would be appropriate:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blah Blah Blah"; 
flow:from_client,established; content:"/testing"; 
nocase; http_uri; pcre:"/testing[1,3]\.html/iU"; classtype:trojan-activity;
 sid:<xxx>; rev:1; )
> Flow restricts the rule to established sessions, using content: with http_uri helps limit the number of packet the 
> pcre will need to evaluate. The "U" option on the pcre restricts it to checking the normalized URI buffer.

> Over all, I don't think that is a very expensive rule, even though it uses a pcre. How expensive it _really_ is would 
> be based on how often "/testing" is found in normal traffic on your network.
>
> Thx,
Wally
> On Mon, Oct 10, 2011 at 3:25 PM,  <vincent () ragosta net> wrote:
> >
I'm trying to match a specific URL that ends in 1, 2, or 3.  So, the following would all be successful matches:
> /testing1.html
> /testing2.html
/testing3.html
> Thanks,
>
> Vincent
>
>
> On Mon, 10/10/2011 12:19 PM, Jamie Riden <jamie.riden () gmail com> wrote:
>
> If it was avoid at *all* costs, they wouldn't have implemented it :)
>
> Advice in the snort manual is to have your first match not be a PCRE
though - more optimisation details available in the snort docs.
> What are you trying to match anyway?
>
> cheers,
>  Jamie
>
> On 10 October 2011 14:10,  <vincent () ragosta net> wrote:
>
> Hello all,
> > I wish to create a Snort signature to match a particular URI sequence.  But,
> > the latter part of the URI can vary.  I have been told by others that the
> > use of PCRE in Snort rules should be avoided at all costs due to the
>
> performance penalties of its use.  Is this true?  If so, is it possible to
> > logically "OR" the content keyword to look for 1 of many possible, valid,
> > URI sequences?
> >
> > Thanks!
>
>
> > Vincent
> >
> > ------------------------------------------------------------------------------
> > All the data continuously generated in your IT infrastructure contains a
> > definitive record of customers, application performance, security
>
> threats, fraudulent activity and more. Splunk takes this data and makes
> > sense of it. Business sense. IT sense. Common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy1
>
> _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
>
> --
> Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden
>
------------------------------------------------------------------------------


All the data continuously generated in your IT infrastructure contains a

definitive record of customers, application performance, security

threats, fraudulent activity and more. Splunk takes this data and makes

sense of it. Business sense. IT sense. Common sense.

http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!