[Snort-devel] [Emerging-Sigs] 2012708

Will Metcalf william.metcalf at ...2499...
Tue Apr 26 11:14:37 EDT 2011


> Is there some benefit to using the http keyword for these we might miss?

There is a performance benefit... just not with rules comprised
completely of any combination of the following keywords... namely,
http_cookie,
http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.

Regards,

Will


On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
<jonkman at ...3176...> wrote:
> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>
> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>
> Is there some benefit to using the http keyword for these we might miss?
>
> Thoughts?
>
> Matt
>
>
> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>
>> IMHO this sig should be disabled by default.  Running the ET open
>> rules against some production network captures rich with HTTP, this
>> sig cost the most in terms of total ticks. Signatures comprised
>> completely of keywords ignored by fast_pattern should be avoided.  As
>> an aside, I think I have requested this before but, snort-devs imho
>> you should allow your users more granular control over rule groupings
>> i.e. allow them to optionally/additionally group sigs based on src/dst
>> ip.  There is no reason why this sig should be so expensive in a data
>> set comprised almost entirely of client HTTP requests.  I think the
>> concern was memory consumption, but so what?... memory is cheap! Just
>> my 2 cents...
>>
>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>> WEB_SERVER HTTP 414 Request URI Too Large";
>> flow:from_server,established; content:"414"; http_stat_code;
>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>> classtype:web-application-attack; sid:2012708; rev:2;)
>>
>> Regards,
>>
>> Will
>>
>> /me goes back to my WAF hole...
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...2992...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630 x110
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>




More information about the Snort-devel mailing list