Snort mailing list archives

RE: Dectecting Social Security Numbers?

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 10 Sep 2004 17:06:33 -0400

At 04:10 PM 9/10/2004, Harper, Patrick wrote:

alert ip $HOME_NET any -> $EXTERNAL_NET any
(pcre:"/[1-9]{3,3}[-][1-9]{2,2}[-][1-9]{4,4}/"; msg:"SSN# in clear
text"; classtype:policy-violation; sid:2000370; rev:2;)

Note: your rule doesn't catch SSN's which contain zeros (mine contains atleast one zero, so this is valid). use [0-9] or \d instead of [1-9].


PCRE style and optimization suggestions:

For fixed-value repeats, consider using single-value notation instead ofranged notation. i.e.: use {3} instead of {3,3}. This is purely style thingin perl, and I assume the same of libpcre. Some regex engines might handle{n} differently than {n,n} and you might loose some performance here, but Idobut it.

If you're not doing a range of characters, don't use []. If you have to usepunctuation use \ to escape it instead of superfluous braces. ie \- insteadof [-]. This actually impacts performance and memory consumption in perl,and it probably hurts when using libpcre as well.


Take a look at how perl (5.8.0 tested here) handles /[-]/

        $perl -Mre=debug -e "/[-]/"
        Freeing REx: `","'
        Compiling REx `[-]'
        size 12 Got 100 bytes for offset annotations.
        first at 1
        1: ANYOF[\-](12)
        12: END(0)
        stclass `ANYOF[\-]' minlen 1
        Offsets: [12]
                1[3] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 4[0]

Now look at how perl handles /\-/

        $ perl -Mre=debug -e "/\-/"
        Freeing REx: `","'
        Compiling REx `\-'
        size 3 Got 28 bytes for offset annotations.
        first at 1
        rarest char - at 0
        1: EXACT <->(3)
        3: END(0)
        anchored `-' at 0 (checking anchored isall) minlen 1
        Offsets: [3]
                1[134624689] 0[0] 3[0]

Note the factor of 4 size difference between the two regexes post-compile(size of 12 words vs size of 3 words) and over factor of 3 differencebetween the size of the offset tables (100 bytes vs 28 bytes). (A detailedexplanation of this output can be found in man perldebguts.)

Admittedly SA uses libpcre, and isn't using perl, but looking at how perlhandles a regex can give you a general idea of what constructs are fasterthan others.







-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on

who ports your project to Linux PPC the best. Sponsored by IBM.Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Dectecting Social Security Numbers? Lyons, Jon (Sep 10)
- Re: Dectecting Social Security Numbers? Adam Levy (Sep 10)
  - Stealth network card Carlos M Ospina (Sep 10)
    - Re: Stealth network card sekure (Sep 10)
- Message not available
  - Re: Dectecting Social Security Numbers? Matt Kettler (Sep 10)
- <Possible follow-ups>
- Re: Dectecting Social Security Numbers? Dan Fiorito (Sep 10)
- RE: Dectecting Social Security Numbers? Harper, Patrick (Sep 10)
  - Message not available
    - RE: Dectecting Social Security Numbers? Matt Kettler (Sep 10)
  - Re: Dectecting Social Security Numbers? Brian (Sep 10)
- RE: Dectecting Social Security Numbers? Lyons, Jon (Sep 10)
- RE: Dectecting Social Security Numbers? Harper, Patrick (Sep 10)