[Emerging-Sigs] Jorik FakeAV sig

Joel Esler jesler at sourcefire.com
Mon Oct 31 14:34:38 EST 2011


On Oct 31, 2011, at 2:22 PM, Matthew Jonkman wrote:
> On Oct 31, 2011, at 1:09 PM, Packet Hack wrote:
> 
>> So can someone give the quick and dirty when it's better to use
>> fast_pattern:only vs. http_uri/http_method?
>> 
> 
> I don't know that there's a simple answer there. And it'll vary depending on the engine. 
> 
> fast pattern only is complicated on Snort, and I have to admit I don't fully understand it there. You can create false negatives in cases where you put too long a string into FP:only, etc. So we tend to let snort and suricata make the decisions on fast pattern when we can. They both do a good job by default. 
> 

Well..  No.  Fast_pattern:only will override the "too long a string" thing that you are thinking about, Matt.  fast_pattern should be used in cases where a pattern is more unique then the "longest" pattern.  To keep it simple.

> As for using http_*, that's important on both engines snort and suri. Normalization, especially in the URIs is critical. Performance is a moot point really, if not normalized we become extremely evadable. 

Well... No.  Performance is better when reading from a normalized buffer.  At least in Snort it is.  *I* know absolutely nothing about Suricata.  On purpose mind you.  Oh, I know bits and pieces here and there, but for the most part, I know nothing about it's interior or performance.

Http_method is a check for that particular buffer, overall, I think people check this buffer too much.  You should only use this check when you need to.  

Maybe a blog post on the VRT blog would be appropriate.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




More information about the Emerging-sigs mailing list