[Bleeding-sigs] Re: [Intrusions] Assessing Your Malware Exposure with Snort

Matt Jonkman matt at infotex.com
Fri Mar 11 19:00:45 GMT 2005 

You could put the entire variable in an included file. That'd probably 
be easier.

I've heard a number of discussions on how large variable aren't as 
efficient as smaller ones though. That'd be the limiter I bet.

Matt

Wes Young wrote:
> I wonder, is it possible to define a variable with an 'include' statement?
> 
> var $BAD_DNS = include bad_domains.rules
> 
> having the snort alert dynamically generate the content, or make the 
> content a var?... i haven't had a to check it out to see if it will even 
> work in snort, but maybe a conceptual idea that might work in teh future 
> for things like this?
> 
> then you can add/remove domains in a rule-type file instead?
> 
> 
> On Mar 10, 2005, at 4:21 PM, Matt Jonkman wrote:
> 
>     Thanks for the clarification Brian.
> 
>     I had started to combine these rules into multi-condition pcre.
>     Making one rule out of 30 or 40 original single domain rules. And I
>     can't remember where the heck I put them now or I'd link to them for
>     you.
> 
>     So my question is, will this be more efficient in a single comdin
>     match per rule, or multiple?
> 
>     Matt
> 
>     Brian wrote:
> 
>             I have written a few thousand Snort rules that are intended
>             to detect successful HTTP communication with hosts known to
>             be evil. They look for domain names in the Host string so
>             they are not subject to evasion by changing IP addresses.
> 
>             If you would like to give them a try you can grab them from
>             http://www.kgb.to/malware.html .
> 
>         Interesting.
>         The meat of one of your rules is:
>         flow:established;
>         pcre:"/(Host\:)\s[a-zA-Z0-9.-]+(\.whenyousearch.com\r\n)/";
>         Your rules are going to be slow. Here are the few issues I see so
>         far:
>         * Your regular expression is matching when you don't need to,
>         causing
>         pcre to do un-needed work. * By not using content, you are not
>         making use of the multi-pattern match engine in Snort. * Since
>         all of the rules I looked at are looking for traffic going
>         towards the web server, you should limit your flow to
>         "to_server" as well.
>         My tweaked "for speed" meat of the rule version is:
>         flow:established,to_server; content:"whenyousearch.com"; nocase;
>         pcre:"/^Host\x3a\s*[a-z0-0\.-]+\.whenyousearch.com/smi";
>         Brian Caswell
>         _______________________________________________
>         Intrusions mailing list
>         Intrusions at lists.sans.org
>         http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
>     -- 
>     --------------------------------------------
>     Matthew Jonkman, CISSP
>     Senior Security Engineer
>     Infotex
>     765-429-0398 Direct Anytime
>     765-448-6847 Office
>     866-679-5177 24x7 NOC
>     my.infotex.com
>     www.offsitefilter.com
>     www.bleedingsnort.com
>     --------------------------------------------
> 
> 
>     NOTICE: The information contained in this email is confidential
>     and intended solely for the intended recipient. Any use,
>     distribution, transmittal or retransmittal of information
>     contained in this email by persons who are not intended
>     recipients may be a violation of law and is strictly prohibited.
>     If you are not the intended recipient, please contact the sender
>     and delete all copies.
>     _______________________________________________
>     Intrusions mailing list
>     Intrusions at lists.sans.org
>     http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
> 
> -- 
> Wes
> 
> I wish I could come up with some witty sigs
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs at bleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Intrusions mailing list