Limit inspection of a stream and/or rule...
I would like to have different rule options to limit inspection of a streams.
Not sure if it would speed up or slow down performance, but I see it nice for limiting false positives as some rules are specifically looking for something in the start of a session/stream.
Say if we have a binary protocol, and we are just looking for something that identifies it in the start of the stream/session, it would be waste of cycles to keep inspecting that stream with that rule (And maybe other rules?)
A bit like snorts "preprocessor ssl: noinspect_encrypted"... Just editable by a user...
alert tcp $EXTERNAL_NET 888 -> $HOME_NET any (msg:"Stop inspect custom encrypted/binary protocol SSLv8"; flow:established,from_server; content:"|02|Handshake done|03|"; flowbits:noalert; stream_noinspect; classtype:friendly_fire; sid:888; rev:1;)
Example_2 (stream_depth:5; and stream_noinspect;):
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; stream_depth:5; stream_noinspect; classtype:trojan-activity; sid:2010859; rev:100;)
There could be:
stream_noinspect or stream_noinspect_both (The same): Stops inspections of client and server traffic in the stream.
stream_noinspect_client: Stop inspection of traffic from client in the stream
stream_noinspect_server: Stop inspection of traffic from server in the stream
If the rule matches its conditions and one of the above options are presents, it would stop inspect respectively.
stream_depth (and stream_depth_raw): Only inspect a certain amount of bytes in a reassabled (or raw?) stream for the respective content:"" match in a rule? The rule would no longer be applied to packets in the stream after it fires.
I have no idea if my stream_* thoughts are a good or bad idea... but here they are :)