Snort mailing list archives
Re: Sig help (Tumblr redirect)
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 3 Jul 2012 17:11:37 -0500
If there are no relative matches/modifiers, the pattern does not get truncated, and the pattern has nocase, why is "only" not automatically applied to the pattern? What is the point of snort ever checking the pattern twice under these conditions? Am I missing something there? Regards, Will On Fri, Jun 29, 2012 at 12:01 PM, Patrick Mullen <pmullen () sourcefire com> wrote:
James, While it wouldn't be comprehensive coverage, I don't see a reason why your rule wouldn't be a good way to catch a bunch of these spam messages if it's a common theme. Since you asked, there are two things I would do to improve the rule. One is a performance improvement, the other is a readability improvement. The readability improvement is that your content match is all ascii data so it's much easier to see what's going on if you use the actual ascii rather than the hex code in your rule. It gets loaded the same way into the rule engine so there is no performance difference for using either method. content:"='://e'|3b|" (Note I did still have to convert the semicolon to make the rules parser's life easier) The performance change is a huge boost by using fast_pattern:only on the content match. Doing so implies nocase but here it doesn't matter and you actually specify it in your rule. What this directive does is put the content match into the fast pattern matcher but removes it from the list of checks once evaluating the rule itself, effectively making it so the content match is only checked once. Note you can only do fast_pattern:only if case sensitivity is not important and the match is location independent meaning it is not relative to anything and nothing is relative to it. content:"='://e'|3b|"; fast_pattern:only; The resulting rule is the following -- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Tumblr spam redirect"; flow:from_server; file_data; content:"='://e'|3b|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:10000014; rev:1;) Hope this helps! Thanks, ~Patrick -- Patrick Mullen Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Sig help (Tumblr redirect) Will Metcalf (Jul 03)
- Re: Sig help (Tumblr redirect) lists () packetmail net (Jul 03)
- Re: Sig help (Tumblr redirect) Will Metcalf (Jul 03)
- Re: Sig help (Tumblr redirect) lists () packetmail net (Jul 03)
- Re: Sig help (Tumblr redirect) Will Metcalf (Jul 03)
- Re: Sig help (Tumblr redirect) lists () packetmail net (Jul 03)