[Snort-devel] [Emerging-Sigs] 2012708

Steven Sturges ssturges at ...402...
Tue Apr 26 14:13:18 EDT 2011


If Snort searches the extracted method for anything with fast pattern
matcher, it should do that searching it for all methods.  The overhead
is in searching it at all, not based on the different patterns involved.

On 4/26/11 12:42 PM, Matthew Jonkman wrote:
> Is it feasible to not add get or post, but DO add other less usual methods?
>
> Matt
>
> On Apr 26, 2011, at 12:40 PM, Steven Sturges wrote:
>
>> And a heads up that because it provides no distinct advantage
>> http method will be added to that list in the next release.
>>
>> 99.8% of the time it will be a get or a post that we're searching
>> with the fast pattern.
>>
>> On 4/26/11 12:21 PM, Matt Olney wrote:
>>> This is because http_stat_code doesn't add to the fast_pattern
>>> matcher.  In this case, since http_stat_code does no nomalization (and
>>> therefore the content would be the same in http_header) , I'd
>>> recommend the following:
>>> alert tcp $HOME_NET $HTTP_PORTS ->   $EXTERNAL_NET any (msg:"ET
>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>> flow:from_server,established; content:"414"; http_stat_code;
>>> content:"Request-URI Too Large"; http_header; nocase;
>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>
>>> This replaces a nice, fat "Request-URI Too Large" into the
>>> fast_pattern, which should improve performance.
>>>
>>> For further reference, none of the following make entries into the
>>> fast_pattern matcher:
>>> http cookie, http raw uri, http raw header, http raw cookie, http stat
>>> code, http stat msg
>>>
>>> Matt
>>>
>>> On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
>>> <william.metcalf at ...2499...>   wrote:
>>>>
>>>>> Is there some benefit to using the http keyword for these we might miss?
>>>>
>>>> There is a performance benefit... just not with rules comprised
>>>> completely of any combination of the following keywords... namely,
>>>> http_cookie,
>>>> http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>>
>>>> On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
>>>> <jonkman at ...3176...>   wrote:
>>>>> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>>>>>
>>>>> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms?
>>>>>
>>>>> Is there some benefit to using the http keyword for these we might miss?
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>>>>>
>>>>>> IMHO this sig should be disabled by default.  Running the ET open
>>>>>> rules against some production network captures rich with HTTP, this
>>>>>> sig cost the most in terms of total ticks. Signatures comprised
>>>>>> completely of keywords ignored by fast_pattern should be avoided.  As
>>>>>> an aside, I think I have requested this before but, snort-devs imho
>>>>>> you should allow your users more granular control over rule groupings
>>>>>> i.e. allow them to optionally/additionally group sigs based on src/dst
>>>>>> ip.  There is no reason why this sig should be so expensive in a data
>>>>>> set comprised almost entirely of client HTTP requests.  I think the
>>>>>> concern was memory consumption, but so what?... memory is cheap! Just
>>>>>> my 2 cents...
>>>>>>
>>>>>> alert tcp $HOME_NET $HTTP_PORTS ->   $EXTERNAL_NET any (msg:"ET
>>>>>> WEB_SERVER HTTP 414 Request URI Too Large";
>>>>>> flow:from_server,established; content:"414"; http_stat_code;
>>>>>> content:"Request-URI Too Large"; http_stat_msg; nocase;
>>>>>> classtype:web-application-attack; sid:2012708; rev:2;)
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Will
>>>>>>
>>>>>> /me goes back to my WAF hole...
>>>>>> _______________________________________________
>>>>>> Emerging-sigs mailing list
>>>>>> Emerging-sigs at ...2992...
>>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>>
>>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>>>>
>>>>>
>>>>> ----------------------------------------------------
>>>>> Matthew Jonkman
>>>>> Emergingthreats.net
>>>>> Emerging Threats Pro
>>>>> Open Information Security Foundation (OISF)
>>>>> Phone 765-807-8630 x110
>>>>> Fax 312-264-0205
>>>>> http://www.emergingthreatspro.com
>>>>> http://www.openinfosecfoundation.org
>>>>> ----------------------------------------------------
>>>>>
>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> WhatsUp Gold - Download Free Network Management Software
>>>> The most intuitive, comprehensive, and cost-effective network
>>>> management toolset available today.  Delivers lowest initial
>>>> acquisition cost and overall TCO of any competing solution.
>>>> http://p.sf.net/sfu/whatsupgold-sd
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>> ------------------------------------------------------------------------------
>>> WhatsUp Gold - Download Free Network Management Software
>>> The most intuitive, comprehensive, and cost-effective network
>>> management toolset available today.  Delivers lowest initial
>>> acquisition cost and overall TCO of any competing solution.
>>> http://p.sf.net/sfu/whatsupgold-sd
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630 x110
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>




More information about the Snort-devel mailing list