william.metcalf at ...2499...
Tue Apr 26 11:04:44 EDT 2011
IMHO this sig should be disabled by default. Running the ET open
rules against some production network captures rich with HTTP, this
sig cost the most in terms of total ticks. Signatures comprised
completely of keywords ignored by fast_pattern should be avoided. As
an aside, I think I have requested this before but, snort-devs imho
you should allow your users more granular control over rule groupings
i.e. allow them to optionally/additionally group sigs based on src/dst
ip. There is no reason why this sig should be so expensive in a data
set comprised almost entirely of client HTTP requests. I think the
concern was memory consumption, but so what?... memory is cheap! Just
my 2 cents...
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
WEB_SERVER HTTP 414 Request URI Too Large";
flow:from_server,established; content:"414"; http_stat_code;
content:"Request-URI Too Large"; http_stat_msg; nocase;
classtype:web-application-attack; sid:2012708; rev:2;)
/me goes back to my WAF hole...
More information about the Snort-devel