Re: Rule efficiency

[Alex Kirk <akirk () sourcefire com>]

On Fri, Jul 23, 2010 at 1:38 PM, Isherwood, Jeffrey - IS <
Jeffrey.Isherwood () itt com> wrote:

>  I’m on the lookout for some traffic to several domains that I have been
> asked to monitor… and I’m wondering which is more efficient, several rules
> that each only look for a domain name – or one rule that looks for many
> domain names at once?
>
>
>
> Currently I’m doing the one at a time method, but the list of domains I
> need to monitor just quadrupled and I am unsure which would be more
> efficient…
>
>
>
> Examples:
>
> alert tcp any any -> any any (content:"baddomain.com"; nocase; priority:1;
> msg:"suspicious domain traffic alert baddomain.com ";
> classtype:string-detect; sid:1000422; gid:1; rev:1; )
>
>
>
> alert tcp any any -> any any (content:"crappydomain.com"; nocase;
> priority:1; msg:"suspicious domain traffic alert crappydomain.com";
> classtype:string-detect; sid:1000340; gid:1; rev:1; )
>
>
>
> alert tcp any any -> any any (content:" shoulndtubworking.com "; nocase;
> priority:1; msg:"suspicious domain traffic alert shoulndtubworking.com";
> classtype:string-detect; sid:1000420; gid:1; rev:1; )
>
>
>
> alert tcp any any -> any any (content:"wasteoftime.net"; nocase;
> priority:1; msg:"suspicious domain traffic alert wasteoftime.net";
> classtype:string-detect; sid:1000409; gid:1; rev:1; )
Multiple rules should be faster, due to the way Snort works. Snort's first
step for any packet is to use the fast pattern matcher to find appropriate
packets to operate on; the patterns used are based on the port used in the
rule, and either the longest static string specified in a content clause, or
the content clause specifically declared to be used by the "fast_pattern"
keyword. If the fast pattern matcher finds something, the rest of the rule
options are evaluated in order.

For cases where you've got a really small pattern, you're going to get a lot
more matches out of the fast pattern matcher, and thus force Snort to do
more work. Since the fast pattern matcher is, well, fast (so much so that
the dev team has called additional fast pattern checks "nearly free"), it
makes clear sense to get it to do as much sorting as possible for you before
you dig into the rules themselves.

Meanwhile, let me give you some thoughts on these rules in particular. If
you're looking for HTTP access, as I would guess based on your fictional
names, you'll need to specify the http_header keyword to go along with those
contents for Snort 2.8.6 and beyond - since hostnames appear in HTTP
headers, and you need that keyword to make Snort look there. Additionally,
you might consider switching these over to be rules that look for DNS
queries to the domains in question (assuming you're confident this is not
bot-generated traffic that's going off of an internal hosts file) - such
rules are almost as easy to write, and there's *way* less UDP traffic to
inspect than HTTP, which will help improve your overall performance pretty
dramatically.

Oh, and to anyone reading this: I almost top-posted, but then I decided not
to kill a kitten. ;-)

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users