[Snort-devel] [Emerging-Sigs] 2012708

Matthew Jonkman jonkman at ...3176...
Tue Apr 26 12:42:02 EDT 2011


Is it feasible to not add get or post, but DO add other less usual methods? 

Matt

On Apr 26, 2011, at 12:40 PM, Steven Sturges wrote:

> And a heads up that because it provides no distinct advantage
> http method will be added to that list in the next release.
> 
> 99.8% of the time it will be a get or a post that we're searching
> with the fast pattern.
> 
> On 4/26/11 12:21 PM, Matt Olney wrote:
>> This is because http_stat_code doesn't add to the fast_pattern
>> matcher.  In this case, since http_stat_code does no nomalization (and
>> therefore the content would be the same in http_header) , I'd
>> recommend the following:
>> alert tcp $HOME_NET $HTTP_PORTS ->  $EXTERNAL_NET any (msg:"ET
>> WEB_SERVER HTTP 414 Request URI Too Large";
>> flow:from_server,established; content:"414"; http_stat_code;
>> content:"Request-URI Too Large"; http_header; nocase;
>> classtype:web-application-attack; sid:2012708; rev:2;)
>> 
>> This replaces a nice, fat "Request-URI Too Large" into the
>> fast_pattern, which should improve performance.
>> 
>> For further reference, none of the following make entries into the
>> fast_pattern matcher:
>> http cookie, http raw uri, http raw header, http raw cookie, http stat
>> code, http stat msg
>> 
>> Matt
>> 
>> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
>> <william.metcalf at ...2499...>  wrote:
>>> 
>>>> Is there some benefit to using the http keyword for these we might miss?
>>> 
>>> There is a performance benefit... just not with rules comprised
>>> completely of any combination of the following keywords... namely,
>>> http_cookie,
>>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>>> 
>>> Regards,
>>> 
>>> Will
>>> 
>>> 
>>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>>> <jonkman at ...3176...>  wrote:
>>>> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>>>> 
>>>> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>>>> 
>>>> Is there some benefit to using the http keyword for these we might miss?
>>>> 
>>>> Thoughts?
>>>> 
>>>> Matt
>>>> 
>>>> 
>>>> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>>>> 
>>>>> IMHO this sig should be disabled by default.  Running the ET open
>>>>> rules against some production network captures rich with HTTP, this
>>>>> sig cost the most in terms of total ticks. Signatures comprised
>>>>> completely of keywords ignored by fast_pattern should be avoided.  As
>>>>> an aside, I think I have requested this before but, snort-devs imho
>>>>> you should allow your users more granular control over rule groupings
>>>>> i.e. allow them to optionally/additionally group sigs based on src/dst
>>>>> ip.  There is no reason why this sig should be so expensive in a data
>>>>> set comprised almost entirely of client HTTP requests.  I think the
>>>>> concern was memory consumption, but so what?... memory is cheap! Just
>>>>> my 2 cents...
>>>>> 
>>>>> alert tcp $HOME_NET $HTTP_PORTS ->  $EXTERNAL_NET any (msg:"ET
>>>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>>>> flow:from_server,established; content:"414"; http_stat_code;
>>>>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>>>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>>> 
>>>>> Regards,
>>>>> 
>>>>> Will
>>>>> 
>>>>> /me goes back to my WAF hole...
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at ...2992...
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> 
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>> 
>>>> 
>>>> ----------------------------------------------------
>>>> Matthew Jonkman
>>>> Emergingthreats.net
>>>> Emerging Threats Pro
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-807-8630 x110
>>>> Fax 312-264-0205
>>>> http://www.emergingthreatspro.com
>>>> http://www.openinfosecfoundation.org
>>>> ----------------------------------------------------
>>>> 
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> WhatsUp Gold - Download Free Network Management Software
>>> The most intuitive, comprehensive, and cost-effective network
>>> management toolset available today.  Delivers lowest initial
>>> acquisition cost and overall TCO of any competing solution.
>>> http://p.sf.net/sfu/whatsupgold-sd
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
> 
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network 
> management toolset available today.  Delivers lowest initial 
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc







More information about the Snort-devel mailing list