Snort mailing list archives

Re: GPL sid 2472 optimization.

From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 11 Oct 2010 11:43:16 -0400

That's totally valid from a logic standpoint, and it validates out properly
with the PCAPs from our test suite. I'll make that change shortly.

On Mon, Oct 11, 2010 at 11:21 AM, Will Metcalf <william.metcalf () gmail com>wrote:

It seems to me that the pcre match in this sig is unnecessary.  We can
accomplish the same thing by eliminating the  pcre match and simply
modifying the offset in the relative byte_jump.  This seems to cut the
time to inspect this sig in half. Thoughts?

Regards,

Will

Old:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS
C$ unicode share access"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMBu"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|";
distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10;
distance:-10; nocase; classtype:protocol-command-decode; sid:2472;
rev:9;)

Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 49        8.3        4.7         10.1

timestamp: 1286807914
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 37        6.2        5.5          6.6

timestamp: 1286807915
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 41        7.0        4.9          8.0

timestamp: 1286807916
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 45        7.5        4.7          8.9


New:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS
C$ unicode share access"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMBu"; within:5; distance:3;
byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative;
content:"C|00 24 00 00 00|"; distance:2; nocase;
content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10;
nocase; classtype:protocol-command-decode; sid:2472; rev:9;)

timestamp: 1286808040
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 14        2.5        3.3          2.1

timestamp: 1286808041
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 15        2.7        3.6          2.2

timestamp: 1286808042
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 18        3.1        4.3          2.5

timestamp: 1286808043
Rule Profile Statistics (all rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======
=========  =========  ========= ============
    1     2472   1   9          6         2         1
 14        2.3        3.4          1.8


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

GPL sid 2472 optimization. Will Metcalf (Oct 11)
- Re: GPL sid 2472 optimization. Alex Kirk (Oct 11)