[Snort-devel] [Emerging-Sigs] 2012708

Steven Sturges ssturges at ...402...
Tue Apr 26 12:40:07 EDT 2011


And a heads up that because it provides no distinct advantage
http method will be added to that list in the next release.

99.8% of the time it will be a get or a post that we're searching
with the fast pattern.

On 4/26/11 12:21 PM, Matt Olney wrote:
> This is because http_stat_code doesn't add to the fast_pattern
> matcher.  In this case, since http_stat_code does no nomalization (and
> therefore the content would be the same in http_header) , I'd
> recommend the following:
> alert tcp $HOME_NET $HTTP_PORTS ->  $EXTERNAL_NET any (msg:"ET
> WEB_SERVER HTTP 414 Request URI Too Large";
> flow:from_server,established; content:"414"; http_stat_code;
> content:"Request-URI Too Large"; http_header; nocase;
> classtype:web-application-attack; sid:2012708; rev:2;)
>
> This replaces a nice, fat "Request-URI Too Large" into the
> fast_pattern, which should improve performance.
>
> For further reference, none of the following make entries into the
> fast_pattern matcher:
> http cookie, http raw uri, http raw header, http raw cookie, http stat
> code, http stat msg
>
> Matt
>
> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
> <william.metcalf at ...2499...>  wrote:
>>
>>> Is there some benefit to using the http keyword for these we might miss?
>>
>> There is a performance benefit... just not with rules comprised
>> completely of any combination of the following keywords... namely,
>> http_cookie,
>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>>
>> Regards,
>>
>> Will
>>
>>
>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>> <jonkman at ...3176...>  wrote:
>>> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>>>
>>> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>>>
>>> Is there some benefit to using the http keyword for these we might miss?
>>>
>>> Thoughts?
>>>
>>> Matt
>>>
>>>
>>> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>>>
>>>> IMHO this sig should be disabled by default.  Running the ET open
>>>> rules against some production network captures rich with HTTP, this
>>>> sig cost the most in terms of total ticks. Signatures comprised
>>>> completely of keywords ignored by fast_pattern should be avoided.  As
>>>> an aside, I think I have requested this before but, snort-devs imho
>>>> you should allow your users more granular control over rule groupings
>>>> i.e. allow them to optionally/additionally group sigs based on src/dst
>>>> ip.  There is no reason why this sig should be so expensive in a data
>>>> set comprised almost entirely of client HTTP requests.  I think the
>>>> concern was memory consumption, but so what?... memory is cheap! Just
>>>> my 2 cents...
>>>>
>>>> alert tcp $HOME_NET $HTTP_PORTS ->  $EXTERNAL_NET any (msg:"ET
>>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>>> flow:from_server,established; content:"414"; http_stat_code;
>>>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> /me goes back to my WAF hole...
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at ...2992...
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>
>>>
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emergingthreats.net
>>> Emerging Threats Pro
>>> Open Information Security Foundation (OISF)
>>> Phone 765-807-8630 x110
>>> Fax 312-264-0205
>>> http://www.emergingthreatspro.com
>>> http://www.openinfosecfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list