[Snort-devel] [Emerging-Sigs] 2012708

rmkml rmkml at ...2519...
Tue Apr 26 13:10:31 EDT 2011


Hi,
Confirm it, no match with http_header.
Regards
Rmkml


On Tue, 26 Apr 2011, Will Metcalf wrote:

> I don't think that the status-line is include in the http_header
> buffer correct?  I think your modification will cause this sig not to
> fire.
>
> HTTP/1.1 414 Request URI Too Large
> Date: Mon, 25 Apr 2011 18:55:13 GMT
> Server: Apache/2.2.14 (Ubuntu)
> Vary: Accept-Encoding
> Content-Encoding: gzip
> Content-Length: 249
> Content-Type: text/html; charset=iso-8859-1
>
> Regards,
>
> Will
>
> On Tue, Apr 26, 2011 at 11:21 AM, Matt Olney <molney at ...402...> wrote:
>> This is because http_stat_code doesn't add to the fast_pattern
>> matcher.  In this case, since http_stat_code does no nomalization (and
>> therefore the content would be the same in http_header) , I'd
>> recommend the following:
>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>> WEB_SERVER HTTP 414 Request URI Too Large";
>> flow:from_server,established; content:"414"; http_stat_code;
>> content:"Request-URI Too Large"; http_header; nocase;
>> classtype:web-application-attack; sid:2012708; rev:2;)
>>
>> This replaces a nice, fat "Request-URI Too Large" into the
>> fast_pattern, which should improve performance.
>>
>> For further reference, none of the following make entries into the
>> fast_pattern matcher:
>> http cookie, http raw uri, http raw header, http raw cookie, http stat
>> code, http stat msg
>>
>> Matt
>>
>> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
>> <william.metcalf at ...2499...> wrote:
>>>
>>>> Is there some benefit to using the http keyword for these we might miss?
>>>
>>> There is a performance benefit... just not with rules comprised
>>> completely of any combination of the following keywords... namely,
>>> http_cookie,
>>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>>
>>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>>> <jonkman at ...3176...> wrote:
>>>> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>>>>
>>>> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>>>>
>>>> Is there some benefit to using the http keyword for these we might miss?
>>>>
>>>> Thoughts?
>>>>
>>>> Matt
>>>>
>>>>
>>>> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>>>>
>>>>> IMHO this sig should be disabled by default.  Running the ET open
>>>>> rules against some production network captures rich with HTTP, this
>>>>> sig cost the most in terms of total ticks. Signatures comprised
>>>>> completely of keywords ignored by fast_pattern should be avoided.  As
>>>>> an aside, I think I have requested this before but, snort-devs imho
>>>>> you should allow your users more granular control over rule groupings
>>>>> i.e. allow them to optionally/additionally group sigs based on src/dst
>>>>> ip.  There is no reason why this sig should be so expensive in a data
>>>>> set comprised almost entirely of client HTTP requests.  I think the
>>>>> concern was memory consumption, but so what?... memory is cheap! Just
>>>>> my 2 cents...
>>>>>
>>>>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>>>> flow:from_server,established; content:"414"; http_stat_code;
>>>>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>>>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will
>>>>>
>>>>> /me goes back to my WAF hole...
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at ...2992...
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>
>>>>
>>>> ----------------------------------------------------
>>>> Matthew Jonkman
>>>> Emergingthreats.net
>>>> Emerging Threats Pro
>>>> Open Information Security Foundation (OISF)
>>>> Phone 765-807-8630 x110
>>>> Fax 312-264-0205
>>>> http://www.emergingthreatspro.com
>>>> http://www.openinfosecfoundation.org
>>>> ----------------------------------------------------
>>>>
>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>
>>>>
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> WhatsUp Gold - Download Free Network Management Software
>>> The most intuitive, comprehensive, and cost-effective network
>>> management toolset available today.  Delivers lowest initial
>>> acquisition cost and overall TCO of any competing solution.
>>> http://p.sf.net/sfu/whatsupgold-sd
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>


More information about the Snort-devel mailing list