[Emerging-Sigs] a variation of the bhdns rules
Jack Pepper
pepperjack at afferentsecurity.com
Fri Feb 22 09:18:02 EST 2008
I am not a fan of loading 17000+ snort rules into the content chain,
so I have put a variation of the bh dns snort rules on the autoshun
site.
http://www.autoshun.org/downloads/rbhdns.rules
uses a program called "regex-from-hell" that builds pcre backtracks
from piles of words (in this case domain names). I have the whole
bhdns list packed into 373 rules, rather that the 17000+ rules on the
previous list.
The rules are created to be optimized for how "pcre_study" in libpcre
works. If anyone is using the bhdns rules, I would recommend trying
out the regex version and watch the profile numbers to see how they
work in your environment.
As Matt correctly points out, these rules are a niche thing, are
certainly not for everyone, and are perhaps not the best way to track
infections in your environment.
Do not load both the old 17000+ ruleset and the new regex-from-hell
ruleset because they both use the same SIDs.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list