[Bro] Signature Matching Performance

Chris bro at wressnegger.info
Fri May 4 00:21:14 PDT 2012

On 04.05.2012, at 09:04, Seth Hall <seth at icir.org> wrote:
> On May 4, 2012, at 2:41 AM, Chris wrote:
>> - properly anchor the signatures rather than prefixing them with ".*" This seems to be the critical point in my situation. So if you have ideas how to resolve this without giving up matching at arbritrary positions.... ;)
> Could you give us some example signatures?  If they have private data in them, you could defang them a little bit, I'm only asking so that we can see more about how you are using signatures.  In general though, lots of signatures with .* at the beginning are going to be really, really bad.

pretty much any signature is prefixed with .* followed by a potentially short body of actual signature data. The reason for this is that those signatures are automatically generated and do not have much information about their location within the payload. Hence, it might happen that e.g. a signature for a http request type might end up as /.*GET\ / although that obviously isn't what one would usually go for.
Seems like I'm misusing the concept of the signature engine a bit hehe


More information about the Bro mailing list