Re: Order of stream_size and dsize checks?

["Joel Esler (jesler)" <jesler () cisco com>]

Thanks Steve.

What i mean by “Faster” is, because the rules are evaluated from left to right, the faster you can make that rule fail 
upon evaluation, the faster the engine will run.

So, basically, you can have a rule that says:

dsize:320; content:”blah”; pcre:”/^blah\d4/“;

or something.  and while the fast pattern engine will cache “blah” to evaluate and make the rule “eligible” to be 
evaluated, the first option it’ll run across is “dsize”.  So the engine says “does the packet equal 320?, No?  okay, 
fail.”

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Mar 21, 2014, at 2:58 PM, Steven Sturges <steve.sturges () sourcefire com<mailto:steve.sturges () sourcefire com>> 
wrote:

For rules that match, all of the options will be evaluated, so no savings there, but avoiding complex checks such as 
PCRE is always
good for performance.

I'd recommend placing the options that are less likely to match on
all packets except the real thing, towards the front of the rule --
taking into account any relative dependencies, of course.

That is why most of the Sourcefire authored rules has flow (eg, to_server,established) as the first option.

Cheers
-steve

On 3/21/14, 2:22 PM, snort user wrote:
Joel -

Could you please explain how the placing of stream_size or dsize will
speed up evaluation of the rule? I can see that placing it upfront will
eliminate evaluation of the more expensive options such as content or
pcre, but is there some other aspect that will make the rule evaluation
more faster with these rule options placed upfront?

Thanks



On Fri, Mar 21, 2014 at 2:11 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>
<mailto:jesler () cisco com>> wrote:

   You bring up a good point though, Harley, which is basically, if you
   put those checks first in the rule (before the content match) it can
   speed up the evaluation of the traffic by that rule.

   --
   *Joel Esler*
   Open Source Manager
   Threat Intelligence Team Lead
   Vulnerability Research Team

   On Mar 21, 2014, at 12:06 PM, Steven Sturges
   <steve.sturges () sourcefire com<mailto:steve.sturges () sourcefire com> <mailto:steve.sturges () sourcefire com>>
   wrote:

   Rule options are evaluated in the order specified in the rule.

   On 3/21/14, 11:56 AM, Harley H wrote:
   Hello,
     Are stream_size and dsize checked following any or all content
   matches or are they performed first?

   -Harley


   ------------------------------------------------------------------------------
   Learn Graph Databases - Download FREE O'Reilly Book
   "Graph Databases" is the definitive new guide to graph databases
   and their
   applications. Written by three acclaimed leaders in the field,
   this first edition is now available. Download your free book today!
   http://p.sf.net/sfu/13534_NeoTech



   _______________________________________________
   Snort-devel mailing list
   Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
   <mailto:Snort-devel () lists sourceforge net>
   https://lists.sourceforge.net/lists/listinfo/snort-devel
   Archive:
   http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

   Please visit http://blog.snort.org for the latest news about Snort!


   ------------------------------------------------------------------------------
   Learn Graph Databases - Download FREE O'Reilly Book
   "Graph Databases" is the definitive new guide to graph databases
   and their
   applications. Written by three acclaimed leaders in the field,
   this first edition is now available. Download your free book today!
   http://p.sf.net/sfu/13534_NeoTech
   _______________________________________________
   Snort-devel mailing list
   Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
   <mailto:Snort-devel () lists sourceforge net>
   https://lists.sourceforge.net/lists/listinfo/snort-devel
   Archive:
   http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

   Please visit http://blog.snort.org for the latest news about Snort!


   ------------------------------------------------------------------------------
   Learn Graph Databases - Download FREE O'Reilly Book
   "Graph Databases" is the definitive new guide to graph databases and
   their
   applications. Written by three acclaimed leaders in the field,
   this first edition is now available. Download your free book today!
   http://p.sf.net/sfu/13534_NeoTech
   _______________________________________________
   Snort-devel mailing list
   Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
   <mailto:Snort-devel () lists sourceforge net>
   https://lists.sourceforge.net/lists/listinfo/snort-devel
   Archive:
   http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

   Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!