Task #4380: tracking: improvements to bits, ints, vars
prefilter/fast_pattern logic for flowbits
It would be useful to have a way to indicate that a rule with a flowbit check should only be checked in the event that the set flowbit appears in the flow.
This could reduce the number of checks on signatures with poor fast_pattern candidates and time spent matching only to throw away the match because the flowbit was not present.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HTTP POST Form Observed After Successful Credential Theft"; flowbits:isset,ET.genericphish; file_data; content:"method=|22|post|22|"; nocase; sid:123; rev:1;)
This rule can be very useful for generic phish detection, but because the only content we're looking for is the post, we incur lots and lots of checks as thats the only available match for fast_pattern
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
I think this can be done with some limitations. Since prefilter runs before the actual rules, it could FN if one of the rules sets a flowbit after the prefilter has run.
A simple solution could be to simply limit the prefilter support to flowbits that are set in one direction, and checked in the other direction.
Another more complex setup could be that when setting a flowbit the rules that depend on it (and use it as a prefilter) are added to the rule 'candidate' list. Here the rule order would probably have to be taken into account.