Script to create 'worst case' rules with long random patterns, to stress Suricata's AC-based MPM engine.

rand-rule.lua

#!/usr/bin/env lua

math.randomseed(os.time())

function string.random(length)
  local t = {}
  for i = 1,length do
    table.insert(t, math.random(97,122))
  end
  return string.char(unpack(t))
end

function encodedns(s)
  out = ""
  for i in string.gmatch(s, "%w+") do
    out = out .. string.format("|%02x|%s", string.len(i), i)
  end
  return out .. "|00|"
end

sid = 1000000
for i = 1,50000 do
  local domain = string.random(math.random(40,80)) .. ".test"
  local dnscontent = encodedns(domain)
  print("alert udp $HOME_NET any -> any 53 (msg:\"TEST bad DNS query for "
          .. domain .. " (c2-server|01234567-89ab-cdef-1234-567890abcd)\"; "
          .. "content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; "
          .. "content:\"" .. dnscontent ..  "\"; fast_pattern; distance:0; "
          .. "nocase; classtype:trojan-activity; gid:1; sid:" .. sid .. "; rev:1;)")
  sid = sid + 1
  print("alert http $HOME_NET any -> any any (msg:\"TEST bad HTTP request for "
          .. domain .. " (c2-server|01234567-89ab-cdef-1234-567890abcd)\"; "
          .."content:\"".. domain .. "\"; depth:".. string.len(domain)
          .. "; fast_pattern; http_host; classtype:trojan-activity; gid:1; "
          .. "sid:" .. sid .. "; rev:1;)")
  sid = sid + 1
end