Snort mailing list archives
Re: PCRE Performance
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Mon, 10 Oct 2011 15:52:49 -0400
There is nothing wrong with using pcre. Just make sure you use the flow: option, ensure that the rule also has a content: option, make the pcre as inexpensive as possible, and, if possible, limit the pcre to a particular buffer. So if you were looking for internal clients making requests to external urls that look like that, then something like this would be appropriate: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Blah Blah Blah"; flow:from_client,established; content:"/testing"; nocase; http_uri; pcre:"/testing[1,3]\.html/iU"; classtype:trojan-activity; sid:<xxx>; rev:1; ) Flow restricts the rule to established sessions, using content: with http_uri helps limit the number of packet the pcre will need to evaluate. The "U" option on the pcre restricts it to checking the normalized URI buffer. Over all, I don't think that is a very expensive rule, even though it uses a pcre. How expensive it _really_ is would be based on how often "/testing" is found in normal traffic on your network. Thx, Wally On Mon, Oct 10, 2011 at 3:25 PM, <vincent () ragosta net> wrote:
I'm trying to match a specific URL that ends in 1, 2, or 3. So, the following would all be successful matches: /testing1.html /testing2.html /testing3.html Thanks, Vincent On Mon, 10/10/2011 12:19 PM, Jamie Riden <jamie.riden () gmail com> wrote: If it was avoid at *all* costs, they wouldn't have implemented it :) Advice in the snort manual is to have your first match not be a PCRE though - more optimisation details available in the snort docs. What are you trying to match anyway? cheers, Jamie On 10 October 2011 14:10, <vincent () ragosta net> wrote:Hello all, I wish to create a Snort signature to match a particular URI sequence.But,the latter part of the URI can vary. I have been told by others that the use of PCRE in Snort rules should be avoided at all costs due to the performance penalties of its use. Is this true? If so, is it possibletologically "OR" the content keyword to look for 1 of many possible, valid, URI sequences? Thanks! Vincent------------------------------------------------------------------------------All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <%20Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!-- Jamie Riden / jamie () honeynet org <%20jamie () honeynet org> /jamie.riden () gmail com<%20jamie.riden () gmail com> http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PCRE Performance vincent (Oct 10)
- Re: PCRE Performance waldo kitty (Oct 10)
- Re: PCRE Performance Jamie Riden (Oct 10)
- Re: PCRE Performance vincent (Oct 10)
- Re: PCRE Performance Jason Wallace (Oct 10)
- Re: PCRE Performance vincent (Oct 10)
- Re: PCRE Performance vincent (Oct 10)