[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] fast_pattern not always longest content string by default?
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2014-10-23 17:51:22
Message-ID: 75B224D0-022E-49AD-AC79-C325E62D87F8 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Mike, we'll open a doc bug for this.
Joel Esler
jesler@cisco.com
> On Oct 23, 2014, at 10:23 AM, Mike Cox <mike.cox52@gmail.com> wrote:
>
> Thanks for the replies. I don't disagree with this behavior but I do think the \
> Snort manual should make this clear because I've been using Snort for many years \
> and this is the first I've heard of it.
> -Mike Cox
>
> On Wed, Oct 22, 2014 at 9:34 PM, Steve Sturges (ststurge) <ststurge@cisco.com \
> <mailto:ststurge@cisco.com>> wrote: Legacy, kinda. But more efficient performance \
> wise. :)
> > On Oct 22, 2014, at 9:18 PM, "Joshua Kinard" <kumba@gentoo.org \
> > <mailto:kumba@gentoo.org>> wrote:
> > I'll wager that this is a relic of Snort's early days as primarily an HTTP
> > traffic sniffer, before it became a more generic deep-packet inspection tool.
> >
> > Something like this should get a mention in the Snort manual, though there are
> > several places where it states that the longest content match is the default,
> > yet doesn't differentiate between a normal content match and a content match
> > modified by an HTTP keyword. So, not a quick fix w/o refactoring the lingo in
> > a few spots.
> >
> > --J
> >
> >
> > > On 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote:
> > > Hi Mike,
> > >
> > > Sorry for this unfortunate news, but it looks like you will need tweak those
> > > sigs. I can confirm that if a fast_pattern keyword is not specified for a
> > > given rule, the default fast pattern is the longest HTTP buffer content.
> > > If no HTTP buffer content is present, then the fast pattern is the longest
> > > content.
> > >
> > > Josh
> > >
> > >
> > > From: Mike Cox <mike.cox52@gmail.com \
> > > <mailto:mike.cox52@gmail.com><mailto:mike.cox52@gmail.com \
> > > <mailto:mike.cox52@gmail.com>>>
> > > Date: Wednesday, October 22, 2014 at 8:16 AM
> > > Subject: [Snort-devel] fast_pattern not always longest content string by \
> > > default?
> > > Hi All,
> > >
> > > I was looking thru some of my sigs with 'debug-print-fast-pattern' turned on
> > > and noticed that the fast pattern string was not always the longest content
> > > match by default. Specifically, it appears that content matches in (valid
> > > for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri, etc.)
> > > are taking priority. For example, consider this sig:
> > >
> > > alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
> > > flow:established,to_server; content:"twitter.com \
> > > <http://twitter.com/><http://twitter.com <http://twitter.com/>>"; http_header; \
> > > content:"hellow Twitter tweet"; sid:1234567;)
> > > The longest content match is "hellow Twitter tweet" but when I look at the
> > > fast pattern debug output, the fast pattern used is
> > > "twitter.com <http://twitter.com/><http://twitter.com <http://twitter.com/>>".
> > >
> > > Having the HTTP Inspect buffers take priority makes sense because they will
> > > be smaller than the entire packet and thus more efficient. However, I do
> > > not see this behavior documented in the manual which says, "the default
> > > behavior of fast pattern determination is to use the longest content in the
> > > rule..."
> > >
> > > Can someone comment/confirm this? It is looking like I may have to
> > > review/tweak a plethora of sigs.... :(
> > >
> > > Thanks!
> > >
> > > -Mike Cox
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel@lists.sourceforge.net <mailto:Snort-devel@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/snort-devel \
> > <https://lists.sourceforge.net/lists/listinfo/snort-devel> Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel \
> > <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> > Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news \
> > about Snort!
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net <mailto:Snort-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-devel \
> <https://lists.sourceforge.net/lists/listinfo/snort-devel> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel \
> <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news \
> about Snort!
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class="">Thanks Mike, we'll open a doc bug \
for this.<div class=""><br class=""></div><div class=""><br class=""></div><div \
class=""><br class=""><div apple-content-edited="true" class=""> <div class="">Joel \
Esler</div><div class=""><a href="mailto:jesler@cisco.com" \
class="">jesler@cisco.com</a></div><div class=""><br class=""></div><br \
class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Oct 23, 2014, at \
10:23 AM, Mike Cox <<a href="mailto:mike.cox52@gmail.com" \
class="">mike.cox52@gmail.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" \
content="text/html; charset=utf-8" class=""><div dir="ltr" class=""><div \
class="">Thanks for the replies. I don't disagree with this behavior but I do \
think the Snort manual should make this clear because I've been using Snort for many \
years and this is the first I've heard of it.<br class=""><br class=""></div>-Mike \
Cox<br class=""></div><div class="gmail_extra"><br class=""><div \
class="gmail_quote">On Wed, Oct 22, 2014 at 9:34 PM, Steve Sturges (ststurge) <span \
dir="ltr" class=""><<a href="mailto:ststurge@cisco.com" target="_blank" \
class="">ststurge@cisco.com</a>></span> wrote:<br class=""><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Legacy, kinda. But more efficient performance \
wise. :)<br class=""> <div class="HOEnZb"><div class="h5"><br class="">
> On Oct 22, 2014, at 9:18 PM, "Joshua Kinard" <<a \
href="mailto:kumba@gentoo.org" class="">kumba@gentoo.org</a>> wrote:<br class=""> \
><br class=""> > I'll wager that this is a relic of Snort's early days as \
primarily an HTTP<br class=""> > traffic sniffer, before it became a more generic \
deep-packet inspection tool.<br class=""> ><br class="">
> Something like this should get a mention in the Snort manual, though there \
are<br class=""> > several places where it states that the longest content match \
is the default,<br class=""> > yet doesn't differentiate between a normal content \
match and a content match<br class=""> > modified by an HTTP keyword. So, \
not a quick fix w/o refactoring the lingo in<br class=""> > a few spots.<br \
class=""> ><br class="">
> --J<br class="">
><br class="">
><br class="">
>> On 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote:<br class="">
>> Hi Mike,<br class="">
>><br class="">
>> Sorry for this unfortunate news, but it looks like you will need tweak \
those<br class=""> >> sigs. I can confirm that if a fast_pattern keyword \
is not specified for a<br class=""> >> given rule, the default fast pattern is \
the longest HTTP buffer content.<br class=""> >> If no HTTP buffer content is \
present, then the fast pattern is the longest<br class=""> >> content.<br \
class=""> >><br class="">
>> Josh<br class="">
>><br class="">
>><br class="">
>> From: Mike Cox <<a href="mailto:mike.cox52@gmail.com" \
class="">mike.cox52@gmail.com</a><mailto:<a href="mailto:mike.cox52@gmail.com" \
class="">mike.cox52@gmail.com</a>>><br class=""> >> Date: Wednesday, \
October 22, 2014 at 8:16 AM<br class=""> >> Subject: [Snort-devel] fast_pattern \
not always longest content string by default?<br class=""> >><br class="">
>> Hi All,<br class="">
>><br class="">
>> I was looking thru some of my sigs with 'debug-print-fast-pattern' turned \
on<br class=""> >> and noticed that the fast pattern string was not always the \
longest content<br class=""> >> match by default. Specifically, it \
appears that content matches in (valid<br class=""> >> for fast_pattern) HTTP \
Inspect buffers (e.g. http_header, http_uri, etc.)<br class=""> >> are taking \
priority. For example, consider this sig:<br class=""> >><br class="">
>> alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";<br class="">
>> flow:established,to_server; content:"<a href="http://twitter.com/" \
target="_blank" class="">twitter.com</a><<a href="http://twitter.com/" \
target="_blank" class="">http://twitter.com</a>>";<br class=""> >> \
http_header; content:"hellow Twitter tweet"; sid:1234567;)<br class=""> >><br \
class=""> >> The longest content match is "hellow Twitter tweet" but when I \
look at the<br class=""> >> fast pattern debug output, the fast pattern used \
is<br class=""> >> "<a href="http://twitter.com/" target="_blank" \
class="">twitter.com</a><<a href="http://twitter.com/" target="_blank" \
class="">http://twitter.com</a>>".<br class=""> >><br class="">
>> Having the HTTP Inspect buffers take priority makes sense because they \
will<br class=""> >> be smaller than the entire packet and thus more \
efficient. However, I do<br class=""> >> not see this behavior documented \
in the manual which says, "the default<br class=""> >> behavior of fast pattern \
determination is to use the longest content in the<br class=""> >> rule..."<br \
class=""> >><br class="">
>> Can someone comment/confirm this? It is looking like I may have to<br \
class=""> >> review/tweak a plethora of sigs.... :(<br class="">
>><br class="">
>> Thanks!<br class="">
>><br class="">
>> -Mike Cox<br class="">
><br class="">
> ------------------------------------------------------------------------------<br \
class=""> > _______________________________________________<br class="">
> Snort-devel mailing list<br class="">
> <a href="mailto:Snort-devel@lists.sourceforge.net" \
class="">Snort-devel@lists.sourceforge.net</a><br class=""> > <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank" \
class="">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br class=""> \
> Archive:<br class=""> > <a \
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" \
target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br \
class=""> ><br class="">
> Please visit <a href="http://blog.snort.org/" target="_blank" \
class="">http://blog.snort.org</a> for the latest news about Snort!<br class=""> <br \
class="">
------------------------------------------------------------------------------<br \
class=""> _______________________________________________<br class="">
Snort-devel mailing list<br class="">
<a href="mailto:Snort-devel@lists.sourceforge.net" \
class="">Snort-devel@lists.sourceforge.net</a><br class=""> <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank" \
class="">https://lists.sourceforge.net/lists/listinfo/snort-devel</a><br class=""> \
Archive:<br class=""> <a \
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" \
target="_blank" class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a><br \
class=""> <br class="">
Please visit <a href="http://blog.snort.org/" target="_blank" \
class="">http://blog.snort.org</a> for the latest news about Snort!<br class=""> \
</div></div></blockquote></div><br class=""></div>
------------------------------------------------------------------------------<br \
class="">_______________________________________________<br class="">Snort-devel \
mailing list<br class=""><a href="mailto:Snort-devel@lists.sourceforge.net" \
class="">Snort-devel@lists.sourceforge.net</a><br \
class="">https://lists.sourceforge.net/lists/listinfo/snort-devel<br \
class="">Archive:<br \
class="">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel<br \
class=""><br class="">Please visit http://blog.snort.org for the latest news about \
Snort!</div></blockquote></div><br class=""></div></body></html>
["smime.p7s" (smime.p7s)]
0 *H
010 + 0 *H
%00 q_Mtq40
*H
0{10 UGB10UGreater Manchester10USalford10U
Comodo CA Limited1!0UAAA Certificate Services0
040101000000Z
281231235959Z010 UUS10 UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client \
Authentication and Email0"0 *H
0
9}A;bF7`u9eJGHjM5BI/|1Nd.)բdąQ5yNh{zɤ2O0 \
nFxoY^/m/묡j.g5yiF v:z'[=s"HaLi.1 \
,CZqYں gT:
wetbh~GeMW(t40b0, '0#0U#0
#>)00Ug}ĝ&p KPH|=n}0U0U00U%0++0U \
00U 0{Ut0r08 6 42http://crl.comodoca.com/AAACertificateServices.crl06 4 \
20http://crl.comodo.net/AAACertificateServices.crl0 `HB0 *H
<~ v9<Oૄ]Te;m|7,%T_!7OTklE`-QLf< \
J?VvÂOl atG@We"'gOWdZٍ/i)J /LQFĊ7N \
1hǞċ~2hD*Q`Mt:C29V:RAC3'9N&9≸])&A곛wuʵeJc>D^s00 \
mOj3""2zq0 *H
010 UUS10 UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client \
Authentication and Email0 110428000000Z
200530104838Z010 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0"0
*H
0
[KW^/@ȣSX_fe2N2}UxLUB'qi2@'Vbqi \
c^`ʢAjHmeC*.+c8w߱ ڂ2jgo \5Tq 7
PSlY1 LR@[HhJ$:q_㬿;%qh=XF<hmz!W42~JRrd&N`ohQcB}"cө \
ΞD\[5 K0G0U#0g}ĝ&p KPH|=n}0UzN t[xcd'/ \
[y{0U0U0 0U 00U 0XUQ0O0M K \
IGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t+ \
h0f0=+01http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%+0http://ocsp.usertrust.com0
*H
־xWUm3DRB
JAIZҭsn>&|L0(B<%>
u=9fѡMo(ltZڱuz/yVtCr`9 G:eH<=%`I?C
3_н`j;:<I3B)93i.EMiڀ=]|Gm]W0KID~y83 \
:]&XaU!ՙC@B0Ұun0"0 J*{Amf([+*0
*H
010 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0
140123000000Z
150123235959Z0!10 *H
jesler@cisco.com0"0
*H
0
B!+ ()^
xWWpH+jhg"*u1Q \
E3Q[1c0IWοzK@mkP?J2.8 ;m \
,z<J*P1)5XgxU%f&)3)<KbzHb\įJ3 \
wu(}Q ڦԼ̯a8PAZ1 00U#0zN t[xcd'/ \
[y{0UE#Vrg%H0U 0U0 0 \
U%0++10 `HB 0FU \
?0=0;+10+0)+https://secure.comodo.net/CPS0WUP0N0L J \
HFhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl0+ \
|0z0R+0Fhttp://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt0$+0http://ocsp.comodoca.com0U0jesler@cisco.com0
*H
y8!9<nY,]&pɊl
?UF<'ld*vլORJݮ `֘yWϛHubk09i(. @"lS8`FG+3$+ሡəE1g00N5 \
;" ^YLtc1B_ \
:(1XPsh?Yj˅M"DnҊ[Ă Jr3_E:I⇲TqG=i<jnʪ8rH*%jr100010 UGB10UGreater \
Manchester10USalford10U COMODO CA Limited1907U0COMODO Client \
Authentication and Secure Email CA J*{Amf([+*0 + 0 *H \
1 *H 0 *H
1
141023175123Z0# *H
1
>_619,!Ӹl0 +710010 UGB10UGreater \
Manchester10USalford10U COMODO CA Limited1907U0COMODO Client \
Authentication and Secure Email CA J*{Amf([+*0*H 1 \
010 UGB10UGreater Manchester10USalford10U COMODO CA \
Limited1907U0COMODO Client Authentication and Secure Email \
CA J*{Amf([+*0 *H
0~A3m/wgV~ ]Z[" \
8[ NCȿNR 0>SWs$+Po?ʃ~6=&f?6:RE7JebL'H \
%Z0|N}Gur?o ķ \
~UMÉ*vgi\<ԑUvT+-U:|tU.S^lWkw''=(- \
3 oPV/)
[Attachment #7 (--===============1182327087090885254==)]
------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic