Snort mailing list archives
Re: fast_pattern not always longest content string by default?
From: Mike Cox <mike.cox52 () gmail com>
Date: Tue, 2 Dec 2014 11:53:04 -0500
Just to close the loop here and to document this on the Internet somewhere in case I forget, it looks like fast pattern checks in HTTP Inspect buffers are case insensitive as well (checked on Snort 2.9). Thanks! -Mike Cox On Wed, Nov 12, 2014 at 10:29 AM, Mike Cox <mike.cox52 () gmail com> wrote:
There is a long-held belief that the fast pattern matcher is case insensitive. Is that true as well for fast pattern matches in HTTP Inspect buffers? If not, has that always been the case? Thanks! -Mike Cox On Wed, Oct 22, 2014 at 9:34 PM, Steve Sturges (ststurge) < ststurge () cisco com> wrote:Legacy, kinda. But more efficient performance wise. :)On Oct 22, 2014, at 9:18 PM, "Joshua Kinard" <kumba () gentoo org> wrote: I'll wager that this is a relic of Snort's early days as primarily anHTTPtraffic sniffer, before it became a more generic deep-packet inspectiontool.Something like this should get a mention in the Snort manual, thoughthere areseveral places where it states that the longest content match is thedefault,yet doesn't differentiate between a normal content match and a contentmatchmodified by an HTTP keyword. So, not a quick fix w/o refactoring thelingo ina few spots. --JOn 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote: Hi Mike, Sorry for this unfortunate news, but it looks like you will need tweakthosesigs. I can confirm that if a fast_pattern keyword is not specifiedfor agiven rule, the default fast pattern is the longest HTTP buffercontent.If no HTTP buffer content is present, then the fast pattern is thelongestcontent. Josh From: Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>> Date: Wednesday, October 22, 2014 at 8:16 AM Subject: [Snort-devel] fast_pattern not always longest content stringby default?Hi All, I was looking thru some of my sigs with 'debug-print-fast-pattern'turned onand noticed that the fast pattern string was not always the longestcontentmatch by default. Specifically, it appears that content matches in(validfor fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri,etc.)are taking priority. For example, consider this sig: alert tcp any any -> any $HTTP_PORTS (msg:"FP Test"; flow:established,to_server; content:"twitter.com<http://twitter.com>"; http_header; content:"hellow Twitter tweet"; sid:1234567;) The longest content match is "hellow Twitter tweet" but when I look atthefast pattern debug output, the fast pattern used is "twitter.com<http://twitter.com>". Having the HTTP Inspect buffers take priority makes sense because theywillbe smaller than the entire packet and thus more efficient. However, Idonot see this behavior documented in the manual which says, "the default behavior of fast pattern determination is to use the longest contentin therule..." Can someone comment/confirm this? It is looking like I may have to review/tweak a plethora of sigs.... :( Thanks! -Mike Cox------------------------------------------------------------------------------_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- fast_pattern not always longest content string by default? Mike Cox (Oct 22)
- Re: fast_pattern not always longest content string by default? Josh Rosenbaum (jrosenba) (Oct 22)
- Re: fast_pattern not always longest content string by default? Joshua Kinard (Oct 22)
- Re: fast_pattern not always longest content string by default? Steve Sturges (ststurge) (Oct 22)
- Re: fast_pattern not always longest content string by default? Mike Cox (Oct 23)
- Re: fast_pattern not always longest content string by default? Joel Esler (jesler) (Oct 23)
- Re: fast_pattern not always longest content string by default? Mike Cox (Nov 12)
- Re: fast_pattern not always longest content string by default? Mike Cox (Dec 02)
- Re: fast_pattern not always longest content string by default? Josh Rosenbaum (jrosenba) (Dec 09)
- Re: fast_pattern not always longest content string by default? Joshua Kinard (Oct 22)
- Re: fast_pattern not always longest content string by default? Josh Rosenbaum (jrosenba) (Oct 22)