[Emerging-Sigs] Jorik FakeAV sig
jesler at sourcefire.com
Mon Oct 31 14:34:38 EST 2011
On Oct 31, 2011, at 2:22 PM, Matthew Jonkman wrote:
> On Oct 31, 2011, at 1:09 PM, Packet Hack wrote:
>> So can someone give the quick and dirty when it's better to use
>> fast_pattern:only vs. http_uri/http_method?
> I don't know that there's a simple answer there. And it'll vary depending on the engine.
> fast pattern only is complicated on Snort, and I have to admit I don't fully understand it there. You can create false negatives in cases where you put too long a string into FP:only, etc. So we tend to let snort and suricata make the decisions on fast pattern when we can. They both do a good job by default.
Well.. No. Fast_pattern:only will override the "too long a string" thing that you are thinking about, Matt. fast_pattern should be used in cases where a pattern is more unique then the "longest" pattern. To keep it simple.
> As for using http_*, that's important on both engines snort and suri. Normalization, especially in the URIs is critical. Performance is a moot point really, if not normalized we become extremely evadable.
Well... No. Performance is better when reading from a normalized buffer. At least in Snort it is. *I* know absolutely nothing about Suricata. On purpose mind you. Oh, I know bits and pieces here and there, but for the most part, I know nothing about it's interior or performance.
Http_method is a check for that particular buffer, overall, I think people check this buffer too much. You should only use this check when you need to.
Maybe a blog post on the VRT blog would be appropriate.
Senior Research Engineer, VRT
OpenSource Community Manager
More information about the Emerging-sigs