[Emerging-Sigs] Performance of Rules 2016016 & 2016017

Christopher Granger chrisgrangerx at gmail.com
Mon Dec 17 09:27:00 HAST 2012


Hi ET,

Just due diligence regarding enabling these rules on potentially
performance-sensitive Sourcefire devices:

alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS Amplification
Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10;
offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29 10|";
within:8; fast_pattern; threshold: type limit, track by_src, seconds 60,
count 1; classtype:bad-unknown; sid:2016016; rev:4;)

alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS Amplification
Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10;
offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29 10|";
within:8; fast_pattern; threshold: type limit, track by_src, seconds 60,
count 1; classtype:bad-unknown; sid:2016017; rev:4;)

Has anyone noticed issues with performance? I wouldn't think there would
be, based on the fast_pattern/content matches.

Thanks,
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/d36fc0a9/attachment.html>


More information about the Emerging-sigs mailing list