Snort mailing list archives
Re: Order of stream_size and dsize checks?
From: Joshua Kinard <kumba () gentoo org>
Date: Fri, 21 Mar 2014 18:54:21 -0400
On 03/21/2014 2:22 PM, snort user wrote:
Joel - Could you please explain how the placing of stream_size or dsize will speed up evaluation of the rule? I can see that placing it upfront will eliminate evaluation of the more expensive options such as content or pcre, but is there some other aspect that will make the rule evaluation more faster with these rule options placed upfront? Thanks On Fri, Mar 21, 2014 at 2:11 PM, Joel Esler (jesler) <jesler () cisco com>wrote:You bring up a good point though, Harley, which is basically, if you put those checks first in the rule (before the content match) it can speed up the evaluation of the traffic by that rule. -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Mar 21, 2014, at 12:06 PM, Steven Sturges < steve.sturges () sourcefire com> wrote: Rule options are evaluated in the order specified in the rule. On 3/21/14, 11:56 AM, Harley H wrote: Hello, Are stream_size and dsize checked following any or all content matches or are they performed first? -Harley
"dsize" is one of the "discrete" options. See Pg 229 in the back of the Snort 2.9.6.0 manual for a complete list of current discrete keywords. Most of them are checking specific numerical or flag/byte values in layer 3 & 4 (OSI Model) protocol headers. These should *always* go before any payload-based keywords. Section 3.9.4 has a really good example of how content's recursion can cause unneeded checks if you have a small pattern, but possibly large payload, and you don't check the size of the payload w/ dsize before searching for the pattern. As for whether stream_size is a discrete keyword...I am not certain. I've always treated it more as a payload-based keyword. I suppose that since the Stream5 Preprocessor sets up the data structure that keyword checks, it could be considered discrete, similar to the flow and dsize keywords (which are also calculated values, not present in the protocol headers in most cases). Also, while we're on the topic, make sure for flowbits, that you treat it more like an "if" conditional and place your isset/isnotset flowbits keywords before payload checks (but after any discrete keywords). Place remaining flowbits checks (set, setx, unset, toggle, reset, and noalert) after the payload. This further optimizes and allows the detection engine to bail early if a packet doesn't match. Generally, I group Snort keywords into four categories: discrete, payload, post-detection, & documentation. I thus write most rules like this: <rule header> (msg:<msg>; sid:<sid>; rev:<rev>; <discrete> <payload> <post-detect> <doc>) Discrete, see above. Payload keywords, are pretty much *anything* that operates on, touches, or manipulates payload data (flowbits keywords are payload operations to me). Post-detection keywords include the likes of threshold, detection_filter (even though this operates in the payload checking phase, it doesn't touch payload), tag, logto, session, resp, react, etc. Documentation keywords have no functionality (that I know of) on a rule's operation and their performance is mostly limited to the parsing phase at Snort start-up: metadata, reference, & priority. I further lump msg, sid, rev, gid, & classtype as "core" options that are usually always required in a rule (gid being the one exception; it's not specifically required, but is internally assumed to be '1' if not present). -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Order of stream_size and dsize checks? Harley H (Mar 21)
- Re: Order of stream_size and dsize checks? Steven Sturges (Mar 21)
- Re: Order of stream_size and dsize checks? Joel Esler (jesler) (Mar 21)
- Re: Order of stream_size and dsize checks? snort user (Mar 21)
- Re: Order of stream_size and dsize checks? Steven Sturges (Mar 21)
- Re: Order of stream_size and dsize checks? Joel Esler (jesler) (Mar 21)
- Re: Order of stream_size and dsize checks? Joshua Kinard (Mar 21)
- Re: Order of stream_size and dsize checks? Joel Esler (jesler) (Mar 21)
- Re: Order of stream_size and dsize checks? Steven Sturges (Mar 21)