[Snort-devel] [Emerging-Sigs] 2012708

Matthew Jonkman jonkman at ...3176...
Tue Apr 26 12:35:43 EDT 2011


Thanks Matt, very useful info! I'll update our relevant _msg rules to use header when there isn't another long match.

Matt


On Apr 26, 2011, at 12:21 PM, Matt Olney wrote:

> This is because http_stat_code doesn't add to the fast_pattern
> matcher.  In this case, since http_stat_code does no nomalization (and
> therefore the content would be the same in http_header) , I'd
> recommend the following:
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> WEB_SERVER HTTP 414 Request URI Too Large";
> flow:from_server,established; content:"414"; http_stat_code;
> content:"Request-URI Too Large"; http_header; nocase;
> classtype:web-application-attack; sid:2012708; rev:2;)
> 
> This replaces a nice, fat "Request-URI Too Large" into the
> fast_pattern, which should improve performance.
> 
> For further reference, none of the following make entries into the
> fast_pattern matcher:
> http cookie, http raw uri, http raw header, http raw cookie, http stat
> code, http stat msg
> 
> Matt
> 
> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
> <william.metcalf at ...2499...> wrote:
>> 
>>> Is there some benefit to using the http keyword for these we might miss?
>> 
>> There is a performance benefit... just not with rules comprised
>> completely of any combination of the following keywords... namely,
>> http_cookie,
>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>> 
>> Regards,
>> 
>> Will
>> 
>> 
>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>> <jonkman at ...3176...> wrote:
>>> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>>> 
>>> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>>> 
>>> Is there some benefit to using the http keyword for these we might miss?
>>> 
>>> Thoughts?
>>> 
>>> Matt
>>> 
>>> 
>>> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>>> 
>>>> IMHO this sig should be disabled by default.  Running the ET open
>>>> rules against some production network captures rich with HTTP, this
>>>> sig cost the most in terms of total ticks. Signatures comprised
>>>> completely of keywords ignored by fast_pattern should be avoided.  As
>>>> an aside, I think I have requested this before but, snort-devs imho
>>>> you should allow your users more granular control over rule groupings
>>>> i.e. allow them to optionally/additionally group sigs based on src/dst
>>>> ip.  There is no reason why this sig should be so expensive in a data
>>>> set comprised almost entirely of client HTTP requests.  I think the
>>>> concern was memory consumption, but so what?... memory is cheap! Just
>>>> my 2 cents...
>>>> 
>>>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>>> flow:from_server,established; content:"414"; http_stat_code;
>>>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>> 
>>>> Regards,
>>>> 
>>>> Will
>>>> 
>>>> /me goes back to my WAF hole...
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at ...2992...
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>> 
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>> 
>>> 
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emergingthreats.net
>>> Emerging Threats Pro
>>> Open Information Security Foundation (OISF)
>>> Phone 765-807-8630 x110
>>> Fax 312-264-0205
>>> http://www.emergingthreatspro.com
>>> http://www.openinfosecfoundation.org
>>> ----------------------------------------------------
>>> 
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>> 
>>> 
>>> 
>>> 
>> 
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network 
> management toolset available today.  Delivers lowest initial 
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc







More information about the Snort-devel mailing list