Re: Sig help (Tumblr redirect)

[Will Metcalf <william.metcalf () gmail com>]

If there are no relative matches/modifiers, the pattern does not get
truncated, and the pattern has nocase, why is "only" not automatically
applied to the pattern?  What is the point of snort ever checking the
pattern twice under these conditions?  Am I missing something there?

Regards,

Will

On Fri, Jun 29, 2012 at 12:01 PM, Patrick Mullen <pmullen () sourcefire com> wrote:
> James,
>
> While it wouldn't be comprehensive coverage, I don't see a reason why
> your rule wouldn't be a good way to catch a bunch of these spam
> messages if it's a common theme.
>
> Since you asked, there are two things I would do to improve the rule.
> One is a performance improvement, the other is a readability
> improvement.
>
> The readability improvement is that your content match is all ascii
> data so it's much easier to see what's going on if you use the actual
> ascii rather than the hex code in your rule.  It gets loaded the same
> way into the rule engine so there is no performance difference for
> using either method.
>
> content:"='://e'|3b|"  (Note I did still have to convert the semicolon
> to make the rules parser's life easier)
>
> The performance change is a huge boost by using fast_pattern:only on
> the content match.  Doing so implies nocase but here it doesn't matter
> and you actually specify it in your rule.  What this directive does is
> put the content match into the fast pattern matcher but removes it
> from the list of checks once evaluating the rule itself, effectively
> making it so the content match is only checked once.  Note you can
> only do fast_pattern:only if case sensitivity is not important and the
> match is location independent meaning it is not relative to anything
> and nothing is relative to it.
>
> content:"='://e'|3b|"; fast_pattern:only;
>
> The resulting rule is the following --
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Tumblr spam redirect"; flow:from_server; file_data;
> content:"='://e'|3b|"; fast_pattern:only; metadata:policy security-ips
> drop, service http; classtype:bad-unknown; sid:10000014; rev:1;)
>
> Hope this helps!
>
>
> Thanks,
>
> ~Patrick
>
> --
> Patrick Mullen
> Research Manager
> Sourcefire VRT
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!