[Intrusions] Assessing Your Malware Exposure with Snort

Cory.Bys at fbol.com Cory.Bys at fbol.com
Thu Mar 10 21:39:10 GMT 2005 

<snip>
My tweaked "for speed" meat of the rule version is:

    flow:established,to_server; content:"whenyousearch.com"; nocase;
    pcre:"/^Host\x3a\s*[a-z0-0\.-]+\.whenyousearch.com/smi";
</snip>

I really appreciate you input.

I'm definitely no Snort or Perl expert, so I'll take your word for it that
this is faster.

Here are a  few questions, concerns, and rationalizations:

- I had assumed that making the expression do all of the work would be more
efficient than using the "smi" modifiers. I could be wrong.

- The Snort manual states the content option is "rather computationally
expensive". Since I am only concerned with communications with a given host
and don't care about the data portion of the packet I don't understand how
adding the option improves performance.

- Is there really a performance difference between \x3a and (:) and \d ?

- What is the significance of allowing multiple whitespace with \s*? I have
never seen a real-world example where "Host:" was not followed by only one
space.

- By dropping the grouping and removing \r\n you are significantly
increasing the chance of false positives. \r\n follows every Host option so
it is a fairly reliable indicator of "end of line". At first glance it
appears as though your version of rule would hit on the following:

Host: www.whenyousearch.communist.com

...and communist.com is not what we are looking for. By using my method I
have yet to receive a single report of a false positive.

- I didn't add "to_server" because I assumed it would increase overhead.
Since I don't host whenyousearch.com I don't expect to ever see an
established HTTP connection with the given Host string going the other way,
so I thought the additional scrutiny didn't make sense.

Thanks -













*******************    N O T I C E    *******************
The information contained in this e-mail, and in any accompanying
documents, may constitute confidential and/or legally privileged
information.  The information is intended only for use by the
designated recipient.  If you are not the intended recipient (or
responsible for the delivery of the message to the intended
recipient), you are hereby notified that any dissemination,
distribution, copying, or other use of, or taking of any action in
reliance on this e-mail is strictly prohibited.  If you have received
this e-mail communication in error, please notify the sender
immediately and delete the message from your system.
***************************************************

More information about the Intrusions mailing list