Re: [Snort-sigs] Possible improvements to pop3 rules.

On Wed, 2005-05-04 at 14:56 +1000, Erik de Castro Lopo wrote:
> Here we have a search of the string "USER" followed by the given
> PCRE search. However, the PCRE is anchored to the start of the
> packet. This means that a packet containing "xxxUSER whatever"
> would get matched by the string matcher, but would fail the match 
> in the PCRE.
>
> However, if the rule was modified to:
>
>         content:"USER"; nocase; offset:0; within:4;
>         pcre:"/^USER\s+[^\n]*?%/smi";
>
> the example packet would no longer trigger the PCRE engine
> unless the string "USER" was at the start of the packet.
>
> So, two questions:
>
>    0) Are rule optimisations like this valid?

I think that depends on the rule. Just recently I did exactly what you
suggested to some other Bleeding rule, mainly limiting "GET" matches for
URL requests to a depth of 3 to speed up processing. 

There are certainly rules where the matched content can appear anyway
and thus can not be limited. But the "USER" match in the POP3 protocol
is probably one of those case where a depth limitation is warranted.

>    1) Are optimisations like this worthwhile?

I think yes, especially when rules contain moderately complex pcre
matches and a fast content can bypass it. Also, anything with long
sessions, like SMTP, POP3 or web traffic will benefit from a "quick out"
content match.

Any time that can be shaved off the processing of rules is very welcome.
Especially since we're adding rule like crazy, it is important to
improve quality so that rule evaluation time within the Snort engine is
reduced.

Cheers,
Frank

signature.asc
Description: This is a digitally signed message part