[Snort-devel] [Emerging-Sigs] 2012708

Will Metcalf william.metcalf at ...2499...
Tue Apr 26 12:48:48 EDT 2011


I don't think that the status-line is include in the http_header
buffer correct?  I think your modification will cause this sig not to
fire.

HTTP/1.1 414 Request URI Too Large
Date: Mon, 25 Apr 2011 18:55:13 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 249
Content-Type: text/html; charset=iso-8859-1

Regards,

Will

On Tue, Apr 26, 2011 at 11:21 AM, Matt Olney <molney at ...402...> wrote:
> This is because http_stat_code doesn't add to the fast_pattern
> matcher.  In this case, since http_stat_code does no nomalization (and
> therefore the content would be the same in http_header) , I'd
> recommend the following:
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> WEB_SERVER HTTP 414 Request URI Too Large";
> flow:from_server,established; content:"414"; http_stat_code;
> content:"Request-URI Too Large"; http_header; nocase;
> classtype:web-application-attack; sid:2012708; rev:2;)
>
> This replaces a nice, fat "Request-URI Too Large" into the
> fast_pattern, which should improve performance.
>
> For further reference, none of the following make entries into the
> fast_pattern matcher:
> http cookie, http raw uri, http raw header, http raw cookie, http stat
> code, http stat msg
>
> Matt
>
> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
> <william.metcalf at ...2499...> wrote:
>>
>> > Is there some benefit to using the http keyword for these we might miss?
>>
>> There is a performance benefit... just not with rules comprised
>> completely of any combination of the following keywords... namely,
>> http_cookie,
>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>>
>> Regards,
>>
>> Will
>>
>>
>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>> <jonkman at ...3176...> wrote:
>> > Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>> >
>> > The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>> >
>> > Is there some benefit to using the http keyword for these we might miss?
>> >
>> > Thoughts?
>> >
>> > Matt
>> >
>> >
>> > On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>> >
>> >> IMHO this sig should be disabled by default.  Running the ET open
>> >> rules against some production network captures rich with HTTP, this
>> >> sig cost the most in terms of total ticks. Signatures comprised
>> >> completely of keywords ignored by fast_pattern should be avoided.  As
>> >> an aside, I think I have requested this before but, snort-devs imho
>> >> you should allow your users more granular control over rule groupings
>> >> i.e. allow them to optionally/additionally group sigs based on src/dst
>> >> ip.  There is no reason why this sig should be so expensive in a data
>> >> set comprised almost entirely of client HTTP requests.  I think the
>> >> concern was memory consumption, but so what?... memory is cheap! Just
>> >> my 2 cents...
>> >>
>> >> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>> >> WEB_SERVER HTTP 414 Request URI Too Large";
>> >> flow:from_server,established; content:"414"; http_stat_code;
>> >> content:"Request-URI Too Large"; http_stat_msg; nocase;
>> >> classtype:web-application-attack; sid:2012708; rev:2;)
>> >>
>> >> Regards,
>> >>
>> >> Will
>> >>
>> >> /me goes back to my WAF hole...
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at ...2992...
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> >
>> >
>> > ----------------------------------------------------
>> > Matthew Jonkman
>> > Emergingthreats.net
>> > Emerging Threats Pro
>> > Open Information Security Foundation (OISF)
>> > Phone 765-807-8630 x110
>> > Fax 312-264-0205
>> > http://www.emergingthreatspro.com
>> > http://www.openinfosecfoundation.org
>> > ----------------------------------------------------
>> >
>> > PGP: http://www.jonkmans.com/mattjonkman.asc
>> >
>> >
>> >
>> >
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list