[Emerging-Sigs] [Snort-sigs] GPL sid 2472 optimization.

Alex Kirk akirk at sourcefire.com
Mon Oct 11 11:43:16 EDT 2010


That's totally valid from a logic standpoint, and it validates out properly
with the PCAPs from our test suite. I'll make that change shortly.

On Mon, Oct 11, 2010 at 11:21 AM, Will Metcalf <william.metcalf at gmail.com>wrote:

> It seems to me that the pcre match in this sig is unnecessary.  We can
> accomplish the same thing by eliminating the  pcre match and simply
> modifying the offset in the relative byte_jump.  This seems to cut the
> time to inspect this sig in half. Thoughts?
>
> Regards,
>
> Will
>
> Old:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS
> C$ unicode share access"; flow:established,to_server; content:"|00|";
> depth:1; content:"|FF|SMBu"; within:5; distance:3;
> byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
> byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|";
> distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10;
> distance:-10; nocase; classtype:protocol-command-decode; sid:2472;
> rev:9;)
>
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  49        8.3        4.7         10.1
>
> timestamp: 1286807914
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  37        6.2        5.5          6.6
>
> timestamp: 1286807915
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  41        7.0        4.9          8.0
>
> timestamp: 1286807916
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  45        7.5        4.7          8.9
>
>
> New:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS
> C$ unicode share access"; flow:established,to_server; content:"|00|";
> depth:1; content:"|FF|SMBu"; within:5; distance:3;
> byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative;
> content:"C|00 24 00 00 00|"; distance:2; nocase;
> content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10;
> nocase; classtype:protocol-command-decode; sid:2472; rev:9;)
>
> timestamp: 1286808040
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  14        2.5        3.3          2.1
>
> timestamp: 1286808041
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  15        2.7        3.6          2.2
>
> timestamp: 1286808042
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  18        3.1        4.3          2.5
>
> timestamp: 1286808043
> Rule Profile Statistics (all rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts
> Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======
> =========  =========  ========= ============
>     1     2472   1   9          6         2         1
>  14        2.3        3.4          1.8
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101011/75f4e2ea/attachment.html


More information about the Emerging-sigs mailing list