[Snort-devel] [Emerging-Sigs] 2012708

Matt Olney molney at ...402...
Tue Apr 26 12:21:17 EDT 2011


This is because http_stat_code doesn't add to the fast_pattern
matcher.  In this case, since http_stat_code does no nomalization (and
therefore the content would be the same in http_header) , I'd
recommend the following:
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
WEB_SERVER HTTP 414 Request URI Too Large";
flow:from_server,established; content:"414"; http_stat_code;
content:"Request-URI Too Large"; http_header; nocase;
classtype:web-application-attack; sid:2012708; rev:2;)

This replaces a nice, fat "Request-URI Too Large" into the
fast_pattern, which should improve performance.

For further reference, none of the following make entries into the
fast_pattern matcher:
http cookie, http raw uri, http raw header, http raw cookie, http stat
code, http stat msg

Matt

On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
<william.metcalf at ...2499...> wrote:
>
> > Is there some benefit to using the http keyword for these we might miss?
>
> There is a performance benefit... just not with rules comprised
> completely of any combination of the following keywords... namely,
> http_cookie,
> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>
> Regards,
>
> Will
>
>
> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
> <jonkman at ...3176...> wrote:
> > Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
> >
> > The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
> >
> > Is there some benefit to using the http keyword for these we might miss?
> >
> > Thoughts?
> >
> > Matt
> >
> >
> > On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
> >
> >> IMHO this sig should be disabled by default.  Running the ET open
> >> rules against some production network captures rich with HTTP, this
> >> sig cost the most in terms of total ticks. Signatures comprised
> >> completely of keywords ignored by fast_pattern should be avoided.  As
> >> an aside, I think I have requested this before but, snort-devs imho
> >> you should allow your users more granular control over rule groupings
> >> i.e. allow them to optionally/additionally group sigs based on src/dst
> >> ip.  There is no reason why this sig should be so expensive in a data
> >> set comprised almost entirely of client HTTP requests.  I think the
> >> concern was memory consumption, but so what?... memory is cheap! Just
> >> my 2 cents...
> >>
> >> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> >> WEB_SERVER HTTP 414 Request URI Too Large";
> >> flow:from_server,established; content:"414"; http_stat_code;
> >> content:"Request-URI Too Large"; http_stat_msg; nocase;
> >> classtype:web-application-attack; sid:2012708; rev:2;)
> >>
> >> Regards,
> >>
> >> Will
> >>
> >> /me goes back to my WAF hole...
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at ...2992...
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> >
> >
> > ----------------------------------------------------
> > Matthew Jonkman
> > Emergingthreats.net
> > Emerging Threats Pro
> > Open Information Security Foundation (OISF)
> > Phone 765-807-8630 x110
> > Fax 312-264-0205
> > http://www.emergingthreatspro.com
> > http://www.openinfosecfoundation.org
> > ----------------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
> >
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list