[Snort-devel] [Emerging-Sigs] 2012708

Matthew Jonkman jonkman at ...3176...
Tue Apr 26 11:09:28 EDT 2011

Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers. 

The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?

Is there some benefit to using the http keyword for these we might miss?



On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:

> IMHO this sig should be disabled by default.  Running the ET open
> rules against some production network captures rich with HTTP, this
> sig cost the most in terms of total ticks. Signatures comprised
> completely of keywords ignored by fast_pattern should be avoided.  As
> an aside, I think I have requested this before but, snort-devs imho
> you should allow your users more granular control over rule groupings
> i.e. allow them to optionally/additionally group sigs based on src/dst
> ip.  There is no reason why this sig should be so expensive in a data
> set comprised almost entirely of client HTTP requests.  I think the
> concern was memory consumption, but so what?... memory is cheap! Just
> my 2 cents...
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> WEB_SERVER HTTP 414 Request URI Too Large";
> flow:from_server,established; content:"414"; http_stat_code;
> content:"Request-URI Too Large"; http_stat_msg; nocase;
> classtype:web-application-attack; sid:2012708; rev:2;)
> Regards,
> Will
> /me goes back to my WAF hole...
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2992...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-devel mailing list