Feature #5776
openPCRE fast_patterns via hyperscan
Description
This feature request is largely inspired by a new keyword introduced within Snort 3.0 The documentation is available here: https://docs.snort.org/rules/options/payload/regex
While I won't pretend to understand how this works "under the hood", I am interested in the ability to use PCREs as fast_patterns.
As an example of at least one case where I think this would help is, rules for which we have to create multiple versions of to insure a solid fast_pattern, that could otherwise be handled via a PCRE.
Consider the following open rules.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Belcuesth_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038691; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Kzzlcne_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038692; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newminer2_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038693; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Nykymad_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038694; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/my_ori_Ywenb_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038695; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
This could be combined into a single rule, ideally with PCRE fast_pattern taking the static contents into consideration
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M5"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:my_ori_Ywenb|Nykymad|newminer2|Kzzlcne|Belcuesth)_(?:bmp|png|jpe?g)$/"; fast_pattern; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038695; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
Here I've assigned the fast_pattern to the PCRE via the fast_pattern keyword, perhaps a PCRE modifier would be required for that, I'm not sure.
Updated by Victor Julien 10 months ago
- Assignee changed from OISF Dev to Community Ticket
I fear this is still going to be quite slow, but it's worth experimenting with, esp now that vectorscan is available for ARM as well. My limited experience with regex in mpm suggested a significant performance hit. What I did was try to anchor literal patterns to the end of the buffer by appending a $. It hurt performance significantly.
For now I'm going to set to community, as I'm not too optimistic it will be worth it.