[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] fast_pattern not always longest content string by default?
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2014-10-23 17:51:22
Message-ID: 75B224D0-022E-49AD-AC79-C325E62D87F8 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Mike, we'll open a doc bug for this.
Joel Esler
jesler@cisco.com
> On Oct 23, 2014, at 10:23 AM, Mike Cox <mike.cox52@gmail.com> wrote:
>
> Thanks for the replies. I don't disagree with this behavior but I do think the \
> Snort manual should make this clear because I've been using Snort for many years \
> and this is the first I've heard of it.
> -Mike Cox
>
> On Wed, Oct 22, 2014 at 9:34 PM, Steve Sturges (ststurge) <ststurge@cisco.com \
> <mailto:ststurge@cisco.com>> wrote: Legacy, kinda. But more efficient performance \
> wise. :)
> > On Oct 22, 2014, at 9:18 PM, "Joshua Kinard" <kumba@gentoo.org \
> > <mailto:kumba@gentoo.org>> wrote:
> > I'll wager that this is a relic of Snort's early days as primarily an HTTP
> > traffic sniffer, before it became a more generic deep-packet inspection tool.
> >
> > Something like this should get a mention in the Snort manual, though there are
> > several places where it states that the longest content match is the default,
> > yet doesn't differentiate between a normal content match and a content match
> > modified by an HTTP keyword. So, not a quick fix w/o refactoring the lingo in
> > a few spots.
> >
> > --J
> >
> >
> > > On 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote:
> > > Hi Mike,
> > >
> > > Sorry for this unfortunate news, but it looks like you will need tweak those
> > > sigs. I can confirm that if a fast_pattern keyword is not specified for a
> > > given rule, the default fast pattern is the longest HTTP buffer content.
> > > If no HTTP buffer content is present, then the fast pattern is the longest
> > > content.
> > >
> > > Josh
> > >
> > >
> > > From: Mike Cox <mike.cox52@gmail.com \
> > > <mailto:mike.cox52@gmail.com><mailto:mike.cox52@gmail.com \
> > > <mailto:mike.cox52@gmail.com>>>
> > > Date: Wednesday, October 22, 2014 at 8:16 AM
> > > Subject: [Snort-devel] fast_pattern not always longest content string by \
> > > default?
> > > Hi All,
> > >
> > > I was looking thru some of my sigs with 'debug-print-fast-pattern' turned on
> > > and noticed that the fast pattern string was not always the longest content
> > > match by default. Specifically, it appears that content matches in (valid
> > > for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri, etc.)
> > > are taking priority. For example, consider this sig:
> > >
> > > alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
> > > flow:established,to_server; content:"twitter.com \
> > > <http://twitter.com/><http://twitter.com <http://twitter.com/>>"; http_header; \
> > > content:"hellow Twitter tweet"; sid:1234567;)
> > > The longest content match is "hellow Twitter tweet" but when I look at the
> > > fast pattern debug output, the fast pattern used is
> > > "twitter.com <http://twitter.com/><http://twitter.com <http://twitter.com/>>".
> > >
> > > Having the HTTP Inspect buffers take priority makes sense because they will
> > > be smaller than the entire packet and thus more efficient. However, I do
> > > not see this behavior documented in the manual which says, "the default
> > > behavior of fast pattern determination is to use the longest content in the
> > > rule..."
> > >
> > > Can someone comment/confirm this? It is looking like I may have to
> > > review/tweak a plethora of sigs.... :(
> > >
> > > Thanks!
> > >
> > > -Mike Cox
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel@lists.sourceforge.net <mailto:Snort-devel@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/snort-devel \
> > <https://lists.sourceforge.net/lists/listinfo/snort-devel> Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel \
> > <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> > Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news \
> > about Snort!
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net <mailto:Snort-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel \
> <https://lists.sourceforge.net/lists/listinfo/snort-devel> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel \
> <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news \
> about Snort!
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class="">Thanks Mike, we'll open a doc bug \
for this.<div class=""><br class=""></div><div class=""><br class=""></div><div \
class=""><br class=""><div apple-content-edited="true" class=""> <div class="">Joel \
Esler</div><div class=""><a href="mailto:jesler@cisco.com" \
class="">jesler@cisco.com</a></div><div class=""><br class=""></div><br \
class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Oct 23, 2014, at \
10:23 AM, Mike Cox <<a href="mailto:mike.cox52@gmail.com" \
class="">mike.cox52@gmail.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" \
content="text/html; charset=utf-8" class=""><div dir="ltr" class=""><div \
class="">Thanks for the replies. I don't disagree with this behavior but I do \
think the Snort manual should make this clear because I've been using Snort for many \
years and this is the first I've heard of it.<br class=""><br class=""></div>-Mike \
Cox<br class=""></div><div class="gmail_extra"><br class=""><div \
class="gmail_quote">On Wed, Oct 22, 2014 at 9:34 PM, Steve Sturges (ststurge) <span \
dir="ltr" class=""><<a href="mailto:ststurge@cisco.com" target="_blank" \
class="">ststurge@cisco.com</a>></span> wrote:<br class=""><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Legacy, kinda. But more efficient performance \
wise. :)<br class=""> <div class="HOEnZb"><div class="h5"><br class="">
> On Oct 22, 2014, at 9:18 PM, "Joshua Kinard" <<a \
href="mailto:kumba@gentoo.org" class="">kumba@gentoo.org</a>> wrote:<br class=""> \
><br class=""> > I'll wager that this is a relic of Snort's early days as \
primarily an HTTP<br class=""> > traffic sniffer, before it became a more generic \
deep-packet inspection tool.<br class=""> ><br class="">
> Something like this should get a mention in the Snort manual, though there \
are<br class=""> > several places where it states that the longest content match \
is the default,<br class=""> > yet doesn't differentiate between a normal content \
match and a content match<br class=""> > modified by an HTTP keyword. So, \
not a quick fix w/o refactoring the lingo in<br class=""> > a few spots.<br \
class=""> ><br class="">
> --J<br class="">
><br class="">
><br class="">
>> On 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote:<br class="">
>> Hi Mike,<br class="">
>><br class="">
>> Sorry for this unfortunate news, but it looks like you will need tweak \
those<br class=""> >> sigs. I can confirm that if a fast_pattern keyword \
is not specified for a<br class=""> >> given rule, the default fast pattern is \
the longest HTTP buffer content.<br class=""> >> If no HTTP buffer content is \
present, then the fast pattern is the longest<br class=""> >> content.<br \
class=""> >><br class="">
>> Josh<br class="">
>><br class="">
>><br class="">
>> From: Mike Cox <<a href="mailto:mike.cox52@gmail.com" \
class="">mike.cox52@gmail.com</a><mailto:<a href="mailto:mike.cox52@gmail.com" \
class="">mike.cox52@gmail.com</a>>><br class=""> >> Date: Wednesday, \
October 22, 2014 at 8:16 AM<br class=""> >> Subject: [Snort-devel] fast_pattern \
not always longest content string by default?<br class=""> >><br class="">
>> Hi All,<br class="">
>><br class="">
>> I was looking thru some of my sigs with 'debug-print-fast-pattern' turned \
on<br class=""> >> and noticed that the fast pattern string was not always the \
longest content<br class=""> >> match by default. Specifically, it \
appears that content matches in (valid<br class=""> >> for fast_pattern) HTTP \
Inspect buffers (e.g. http_header, http_uri, etc.)<br class=""> >> are taking \
priority. For example, consider this sig:<br class=""> >><br class="">
>> alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";<br class="">
>> flow:established,to_server; content:"<a href="http://twitter.com/" \
target="_blank" class="">twitter.com</a><<a href="http://twitter.com/" \
target="_blank" class="">http://twitter.com</a>>";<br class=""> >> \
http_header; content:"hellow Twitter tweet"; sid:1234567;)<br class=""> >><br \
class=""> >> The longest content match is "hellow Twitter tweet" but when I \
look at the<br class=""> >> fast pattern debug output, the fast pattern used \
is<br class=""> >> "<a href="http://twitter.com/" target="_blank" \
class="">twitter.com</a><<a href="http://twitter.com/" target="_blank" \
class="">http://twitter.com</a>>".<br class=""> >><br class="">
>> Having the HTTP Inspect buffers take priority makes sense because they \
will<br class=""> >> be smaller than the entire packet and thus more \
efficient. However, I do<br class=""> >> not see this behavior documented \
in the manual which says, "the default<br class=""> >> behavior of fast pattern \
determination is to use the longest content in the<br class=""> >> rule..."<br \
class=""> >><br class="">
>> Can someone comment/confirm this? It is looking like I may have to<br \
class=""> >> review/tweak a plethora of sigs.... :(<br class="">
>><br class="">
>> Thanks!<br class="">
>><br class="">
>> -Mike Cox<br class="">
><br class="">
> ------------------------------------------------------------------------------<br \
class=""> > _______________________________________________<br class="">
> Snort-devel mailing list<br class="">
> <a href="mailto:Snort-devel@lists.sourceforge.net" \
class="">Snort-devel@lists.sourceforge.net</a><br class=""> > <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank" \
class="">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br class=""> \
> Archive:<br class=""> > <a \
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" \
target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br \
class=""> ><br class="">
> Please visit <a href="http://blog.snort.org/" target="_blank" \
class="">http://blog.snort.org</a> for the latest news about Snort!<br class=""> <br \
class="">
------------------------------------------------------------------------------<br \
class=""> _______________________________________________<br class="">
Snort-devel mailing list<br class="">
<a href="mailto:Snort-devel@lists.sourceforge.net" \
class="">Snort-devel@lists.sourceforge.net</a><br class=""> <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank" \
class="">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br class=""> \
Archive:<br class=""> <a \
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" \
target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br \
class=""> <br class="">
Please visit <a href="http://blog.snort.org/" target="_blank" \
class="">http://blog.snort.org</a> for the latest news about Snort!<br class=""> \
</div></div></blockquote></div><br class=""></div>
------------------------------------------------------------------------------<br \
class="">_______________________________________________<br class="">Snort-devel \
mailing list<br class=""><a href="mailto:Snort-devel@lists.sourceforge.net" \
class="">Snort-devel@lists.sourceforge.net</a><br \
class="">https://lists.sourceforge.net/lists/listinfo/snort-devel<br \
class="">Archive:<br \
class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel<br \
class=""><br class="">Please visit http://blog.snort.org for the latest news about \
Snort!</div></blockquote></div><br class=""></div></body></html>
["smime.p7s" (smime.p7s)]
0� *H
��� 0���1�0 ��+������0� *H
����� �%0�0� ������q�_M�tq4�0
� *H
�����0{1�0 ��U����GB1�0���U����Greater Manchester1�0���U����Salford1�0���U�
��Comodo CA Limited1!0���U����AAA Certificate Services0��
040101000000Z�
281231235959Z01�0 ��U����US1�0 ��U����UT1�0���U����Salt Lake City1�0���U�
��The USERTRUST Network1!0���U����http://www.usertrust.com1604��U���-UTN-USERFirst-Client \
Authentication and Email0�"0 � *H
���������0�
����9}A;bF7`u9eJ�GHjM5�BI/�|1�Nd.)բdąQ5yNh{�z��ɤ2�O0 \
n�FxoY^/m/묡j.g5y�iF �v:z�'[=s�"HaLi.�1 \
,�C�Z�q�Yں gT:
�we�tb�h�~GeMW(t40b0�,������'0�#0���U�#��0�� �
#>�)00���U������g}ĝ&p�KPH|=�n}0���U����������0���U������0���0���U�%��0���+���������+�������0���U� \
� 0�0���U� �0{��U���t0r08 6 42http://crl.comodoca.com/AAACertificateServices.crl06 4 \
20http://crl.comodo.net/AAACertificateServices.crl0�� `H�B��������0 � *H
���������<~ �� v9<�O�ૄ]Te;m�|7,%T_!7��OT�klE`-QLf< \
J?VvÂ�Ol���at�G�@We"'gOWdZٍ�/�i)�J� /LQF�Ċ7N \
1hǞċ~�2h��D*Q`Mt:C�29V:�RAC�3'9�N&9≸])&A곛wuʵeJc>D^s��0��0�� \
������m��Oj3""2zq0 � *H
�����01�0 ��U����US1�0 ��U����UT1�0���U����Salt Lake City1�0���U�
��The USERTRUST Network1!0���U����http://www.usertrust.com1604��U���-UTN-USERFirst-Client \
Authentication and Email0�� 110428000000Z�
200530104838Z01�0 ��U����GB1�0���U����Greater Manchester1�0���U����Salford1�0���U�
��COMODO CA Limited1907��U���0COMODO Client Authentication and Secure Email CA0�"0
� *H
���������0�
����[KW^/@ȣSX_fe2N2}UxLUB'q�i2@�'Vb�qi \
�c^`ʢAj�HmeC*.+c8w߱� ڂ�2jgo �\5Tq �7
�PSl���Y�1 LR@�[HhJ$�:q_�㬿�;%qh=��XF�<h�mz!W42~JRrd&N�`�ohQc�B}"cө \
ΞD�\[5�������K0�G0���U�#��0��g}ĝ&p�KPH|=�n}0���U������z�N�t[xcd'/ \
[y{0���U����������0���U������0������0���U� � 0�0���U� �0X��U���Q0O0M K \
IGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t��+������� \
�h0f0=��+�����0�1http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%��+�����0��http://ocsp.usertrust.com0
� *H
���������־xWUm3DRB���
JAI�Zҭ�sn>&|L0(B<%>
u=9fѡMo(l�tZڱuz/y�VtCr�`9 G:eH<=%`I�?C
3_н`j;:<�I3B)93i.EMiڀ��=�]|G�m�]W��0KID~y83 \
:]&XaU�!ՙC@B0Ұun0�"0� �������J*{�Amf([+*0
� *H
�����01�0 ��U����GB1�0���U����Greater Manchester1�0���U����Salford1�0���U�
��COMODO CA Limited1907��U���0COMODO Client Authentication and Secure Email CA0��
140123000000Z�
150123235959Z0!1�0�� *H
� ���jesler@cisco.com0�"0
� *H
���������0�
������B!+ �()^
xW��WpH+jhg"�*��u1Q \
E��3Q[1c0�I�W�οz�K�@�m��kP?J�2.�8 ;m \
,z<J�*P1)5XgxU%f&)�3)<KbzHb�\į��J3 \
wu(}�Q ڦ��Լ̯a8PAZ1������0�0���U�#��0��z�N�t[xcd'/ \
[y{0���U������E#��V�r�g%�H0���U��������� 0���U������0�0 \
��U�%��0���+���������+����1����0�� `H�B������� 0F��U� \
�?0=0;��+����1�����0+0)��+���������https://secure.comodo.net/CPS0W��U���P0N0L J \
HFhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl0��+������� \
�|0z0R��+�����0�Fhttp://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt0$��+�����0��http://ocsp.comodoca.com0���U����0��jesler@cisco.com0
� *H
���������y�8!9�<n�Y,]�&pɊl
?��UF<'ld*vլORJݮ�����`֘yWϛHubk09i(. @"lS8`FG+3$+ሡəE1g0���0N��5 \
;" ^YL�tc1B_ \
�:(�1�XPsh?Yj˅M"DnҊ[Ă Jr3_E:���I⇲TqG=i��<jnʪ��8rH*%jr1�0����001�0 ��U����GB1�0���U����Greater \
Manchester1�0���U����Salford1�0���U� ��COMODO CA Limited1907��U���0COMODO Client \
Authentication and Secure Email CA���J*{�Amf([+*0 ��+������ �0�� *H \
� �1�� *H ���0�� *H
� �1��
141023175123Z0#� *H
� �1���
�>_619,�!Ӹl�0� +����7��1001�0 ��U����GB1�0���U����Greater \
Manchester1�0���U����Salford1�0���U� ��COMODO CA Limited1907��U���0COMODO Client \
Authentication and Secure Email CA���J*{�Amf([+*0��*H � ���1 \
01�0 ��U����GB1�0���U����Greater Manchester1�0���U����Salford1�0���U� ��COMODO CA \
Limited1907��U���0COMODO Client Authentication and Secure Email \
CA���J*{�Amf([+*0 � *H
��������0��~A3m/wgV�~� ]�Z[" \
8[ NCȿNR 0>SWs�$+Po��?ʃ~�6=&�f?6:�RE7��Je�bL'H \
%Z�0�|N}Gur?o ķ \
���~UM�É*vgi�\<��ԑUvT+-U:|�tU.S^�lW�kw''=(-� \
3 �oP��V/)������
[Attachment #7 (--===============1182327087090885254==)]
------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic