Re: [Emerging-Sigs] No real performance penalty?

[Joel Esler <jesler () sourcefire com>]

On Jan 18, 2012, at 9:30 AM, elof () sentor se wrote:

> Same question, different scenario:
>
> If I have a rule that look for the evil pattern 'foobar' in all HTTP traffic like this:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (...; flow:established,to_server; content:"foobar"; 
> depth:300; nocase; fast_pattern; ...)
>
> My thoughts goes like this:
> I want to detect 'foobar' in all web-traffic from a client to a server.
>
> I don't want to optimize the rule using 'http_uri' or simillar keywords, I want to look for 'foobar' anywhere in the 
> packet.
>
> I add "depth:300;" anyhow, as an optimization so snort won't have to look through the *entire* packet.
>
> Now, correct me if I'm wrong, but I think that the Fast Pattern Matcher look for my fast pattern 'foobar' throughout 
> the *entire* packet *anyhow* (and if 'foobar' is found, the rule is marked for full evaluation).
The fast pattern matcher will pre-qualify the rule to run.  The rule will run after the FP.

> When evaluated, snort will look for 'foobar' again, but this time only in the first 300 bytes.
In this case, yes.

> So, I added the "depth:300;" just for optimization, but in reality I would
> really prefer to have an alert if 'foobar' exist anywhere, even at the end of a 1500 byte packet...

Right.  It's half speed optimization to make the rule bail faster, and half false positive reduction.  Rules are about 
accuracy.  Not shots in the dark.  That's why the VRT verifies each rule we write and why FP reporting is so important. 
 We can't replicate every scenario or network.  We have some fantastic people that write in with FP reports in order 
for us to optimize our rules.

> Will there be any performance impact if I remove the depth keyword and replace it (and the "nocase") with 
> "fast_pattern:only;"? Like this:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (...; flow:established,to_server; content:"foobar"; 
> fast_pattern:only; ...)
>
> I believe that this new rule work like this:
> The Fast Pattern Matcher look for 'foobar' throughout the entire packet (case insensitive), and that's pretty much 
> it. The rule is marked for evaluation but the only thest there is the flow check.

And IPs and PORTS, and direction.  But otherwise, yes. You are correct.

> So in reality, the second rule syntax, which lack the depth constraint, is actually the more optimized one?

In terms of speed yes, but, you are talking about hundreds of a millisecond of a difference in this case.  It's more 
about accuracy and false positive reduction in this point.  Doing FP:only on one rule isn't going to speed things up 
immensely, but if you do it to a bunch of rules, (fully understanding what you are doing) it'll help a bit.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!