[Emerging-Sigs] Bad Performing Rules

Victor Julien lists at inliniac.net
Tue Oct 11 12:07:01 EDT 2011


On 10/11/2011 03:41 PM, Nathan wrote:
> On 10/11/11 05:31, Matthew Jonkman wrote:
> 
>>> #Strange that flow-bit check only rule is so bad at performing, is it because
>>> it's instanced for every packet to check the state of a flowbit because there
>>> is no content match on it?
>>> emerging-policy.rules:alert tcp any !$SSH_PORTS -> any !$SSH_PORTS (msg:"ET
>>> POLICY SSH session in progress on Unusual Port"; flowbits: isset,is_proto_ssh;
>>> threshold: type both, track by_src, count 2, seconds 300;
>>> classtype:misc-activity; reference:url,doc.emergingthreats.net/2001984;
>>> sid:2001984; rev:7;)
>>
>> Yes. This is the only way we have to do this, which is why we've made suricata do things differently. This won't be a high load sig there. Can you go suricata?
> 
> At this time I can't go Suricata in this specific build-out but I do sing it's
> praises.  Victor is a rock star for getting changes/patches hammered out even
> for my odd use-cases.  Now, for what it's worth, I understand this signature to
> also be a heavy-hitter on Suricata as well.  In Snort this one is the worst
> performer by a huge margin even when I sling 443 into SSH_PORTS.  Logically, I
> assume it's because it's checking the flowbit status for each and every packet
> not in $SSH_PORTS.
> 
> Would it make sense to add a flow:established,to_server here?  So at least we're
> looking at flows and not individual packets?

I looked into this a little bit last week, this is a way more efficient
version for Suricata:

alert ssh any !$SSH_PORTS -> any !$SSH_PORTS (msg:"ET POLICY SSH session
in progress on Unusual Port"; flow:established,to_server; threshold:
type both, track by_src, count 2, seconds 300; classtype:misc-activity;
reference:url,doc.emergingthreats.net/2001984; sid:2001985; rev:7;)

It relies on our protocol detection instead of the flowbit logic.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Emerging-sigs mailing list