Feature #5776
openPCRE fast_patterns via hyperscan
Description
This feature request is largely inspired by a new keyword introduced within Snort 3.0 The documentation is available here: https://docs.snort.org/rules/options/payload/regex
While I won't pretend to understand how this works "under the hood", I am interested in the ability to use PCREs as fast_patterns.
As an example of at least one case where I think this would help is, rules for which we have to create multiple versions of to insure a solid fast_pattern, that could otherwise be handled via a PCRE.
Consider the following open rules.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Belcuesth_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038691; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Kzzlcne_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038692; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newminer2_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038693; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Nykymad_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038694; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/my_ori_Ywenb_"; fast_pattern; pcre:"/\.(?:bmp|png|jpe?g)$/"; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038695; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
This could be combined into a single rule, ideally with PCRE fast_pattern taking the static contents into consideration
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PureCrypter Requesting Injector - Known Campaign ID M5"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:my_ori_Ywenb|Nykymad|newminer2|Kzzlcne|Belcuesth)_(?:bmp|png|jpe?g)$/"; fast_pattern; reference:url,blog.netlab.360.com/purecrypter/; classtype:command-and-control; sid:2038695; rev:1; metadata:created_at 2022_08_31, updated_at 2022_08_31;)
Here I've assigned the fast_pattern to the PCRE via the fast_pattern keyword, perhaps a PCRE modifier would be required for that, I'm not sure.