Friday, July 20, 2012

fast_pattern is fast

A fairly new reconnaissance tool called Skipfish was brought to our attention earlier this week. I wanted to take a few minutes and demonstrate a case where multiple rules using fast_pattern can be more efficient than a single rule with a regular expression.

Taking a quick look through the Skipfish source code shows there are four predefined user-agent strings with a version (2.07b) appended to the end. There is a default and then three that are intended to resemble typical user-agent strings.

Default


Firefox


MSIE



iPhone






Each of the strings has "SF/" so a regular expression can be used to detect all four variations:

pcre:"/User-Agent\x3a[^\r\n]+?SF/[0-9]{1}\.[0-9]{2}[a-z]/smi";

I used the tool and generated some traffic with each of the User-Agent strings and this rule had an Avg/Check of 92.5 microseconds.

Now using the fast pattern matcher the rule for the default User-Agent string looks like this.

content:"User-Agent: Mozilla/5.0 SF/"; fast_pattern:only;

The 'only' modifier to fast_pattern means this is only evaluated by the fast pattern matcher and not as a rule option. Since there are no other rule options this rule is evaluated entirely in the fast pattern matcher, and never enters the core Snort engine. This rule had an Avg/Check of 2.3 microseconds; none of the other three rules written this way were over 3.5 microseconds.

This demonstrates a significant performance advantage to running four separate rules instead of a single regular expression.

While the VRT is constantly monitoring for new tools being used in the field, we happily accept tool submissions from the field for creating new Snort rules. If you come across other tools like this that you want rule coverage for, please send them to us, research < at > sourcefire < dot > com. For those keeping score at home, the SIDs for the new Skipfish rules are 23601 - 23604.

No comments:

Post a Comment