[Snort-devel] [Emerging-Sigs] 2012708

Matthew Jonkman jonkman at ...3176...
Tue Apr 26 14:03:01 EDT 2011


So I'll make them no http+* at all for current snorts then. Note, no change to the previous snort's rules.

Thanks!!

Matt


On Apr 26, 2011, at 1:10 PM, rmkml wrote:

> Hi,
> Confirm it, no match with http_header.
> Regards
> Rmkml
> 
> 
> On Tue, 26 Apr 2011, Will Metcalf wrote:
> 
>> I don't think that the status-line is include in the http_header
>> buffer correct?  I think your modification will cause this sig not to
>> fire.
>> 
>> HTTP/1.1 414 Request URI Too Large
>> Date: Mon, 25 Apr 2011 18:55:13 GMT
>> Server: Apache/2.2.14 (Ubuntu)
>> Vary: Accept-Encoding
>> Content-Encoding: gzip
>> Content-Length: 249
>> Content-Type: text/html; charset=iso-8859-1
>> 
>> Regards,
>> 
>> Will
>> 
>> On Tue, Apr 26, 2011 at 11:21 AM, Matt Olney <molney at ...402...> wrote:
>>> This is because http_stat_code doesn't add to the fast_pattern
>>> matcher.  In this case, since http_stat_code does no nomalization (and
>>> therefore the content would be the same in http_header) , I'd
>>> recommend the following:
>>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>> flow:from_server,established; content:"414"; http_stat_code;
>>> content:"Request-URI Too Large"; http_header; nocase;
>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>> 
>>> This replaces a nice, fat "Request-URI Too Large" into the
>>> fast_pattern, which should improve performance.
>>> 
>>> For further reference, none of the following make entries into the
>>> fast_pattern matcher:
>>> http cookie, http raw uri, http raw header, http raw cookie, http stat
>>> code, http stat msg
>>> 
>>> Matt
>>> 
>>> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
>>> <william.metcalf at ...2499...> wrote:
>>>> 
>>>>> Is there some benefit to using the http keyword for these we might miss?
>>>> 
>>>> There is a performance benefit... just not with rules comprised
>>>> completely of any combination of the following keywords... namely,
>>>> http_cookie,
>>>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>>>> 
>>>> Regards,
>>>> 
>>>> Will
>>>> 
>>>> 
>>>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>>>> <jonkman at ...3176...> wrote:
>>>>> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>>>>> 
>>>>> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>>>>> 
>>>>> Is there some benefit to using the http keyword for these we might miss?
>>>>> 
>>>>> Thoughts?
>>>>> 
>>>>> Matt
>>>>> 
>>>>> 
>>>>> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>>>>> 
>>>>>> IMHO this sig should be disabled by default.  Running the ET open
>>>>>> rules against some production network captures rich with HTTP, this
>>>>>> sig cost the most in terms of total ticks. Signatures comprised
>>>>>> completely of keywords ignored by fast_pattern should be avoided.  As
>>>>>> an aside, I think I have requested this before but, snort-devs imho
>>>>>> you should allow your users more granular control over rule groupings
>>>>>> i.e. allow them to optionally/additionally group sigs based on src/dst
>>>>>> ip.  There is no reason why this sig should be so expensive in a data
>>>>>> set comprised almost entirely of client HTTP requests.  I think the
>>>>>> concern was memory consumption, but so what?... memory is cheap! Just
>>>>>> my 2 cents...
>>>>>> 
>>>>>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>>>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>>>>> flow:from_server,established; content:"414"; http_stat_code;
>>>>>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>>>>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>>>> 
>>>>>> Regards,
>>>>>> 
>>>>>> Will
>>>>>> 
>>>>>> /me goes back to my WAF hole...
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at ...2992...
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>> 
>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>> 
>>>>> 
>>>>> ----------------------------------------------------
>>>>> Matthew Jonkman
>>>>> Emergingthreats.net
>>>>> Emerging Threats Pro
>>>>> Open Information Security Foundation (OISF)
>>>>> Phone 765-807-8630 x110
>>>>> Fax 312-264-0205
>>>>> http://www.emergingthreatspro.com
>>>>> http://www.openinfosecfoundation.org
>>>>> ----------------------------------------------------
>>>>> 
>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> WhatsUp Gold - Download Free Network Management Software
>>>> The most intuitive, comprehensive, and cost-effective network
>>>> management toolset available today.  Delivers lowest initial
>>>> acquisition cost and overall TCO of any competing solution.
>>>> http://p.sf.net/sfu/whatsupgold-sd
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> 
>> 
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network 
> management toolset available today.  Delivers lowest initial 
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd_______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc







More information about the Snort-devel mailing list