[Snort-users] http content host matching rule optimization

Matt Olney molney at ...1935...
Mon Dec 7 11:35:35 EST 2009


If I understand correctly:

You get a list of URLs such as:

www.badsite.com/malware.pl

This is the rule I'd write:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (Msg: "Mal_URI
www.badsite.com/malware.pl"; flow: to_server, established;
content:"www.badsite.com/malware.pl"; http_uri; nocase; sid:
23424234;)

If you want to add thresholding, etc, that's fine.  The important
difference here is the use of the uri buffer as opposed to the header
buffer.  This has two advantages:

1)  The uri buffer is normalized, so
www.badsite.com/../../..\../malware.pl will still fire.  The header
field is not normalized.
2)  The uri buffer is smaller, so snort processes less data.

Hope that helps, let me know if you have more questions,

Matt

On Mon, Dec 7, 2009 at 11:22 AM, Greg <j.greg.k at ...11827...> wrote:
> I am curious if I can optimize this rule any further. I have a Perl
> script that runs once every few days that takes a manual download from
> MalwareURL.com and converts the data into a file that I include into
> the snort config.
>
> Since the file is long (around 3k entries) I am trying to minimize the
> alarms and overhead costs. I figure since I am focusing on the
> http_header and not the entire payload I gain some efficiency. Also
> using HTTP_PORTS as defined in snort.conf instead of ANY. I had to
> create unique SIDS for each URL though so I could use destination
> tracking to suppress extra hits. I only need to know that the access
> occurred in snort and then I go to a tshark capture device I built to
> replay the events to see the details.
>
> Below is the script segment that generates all the rules from the data
> file. Is this the most efficient? Is there a better way?
>
> -Thanks
> Greg
>
>
> while (<IN>) {
>  chomp ($_);
>  print "alert tcp \$HOME_NET any -> \$EXTERNAL_NET \$HTTP_PORTS
> (msg:\"MalURL $_\"; flow:from_client; content:\"$_\"; http_header;
> nocase; threshold: type limit, track by_dst, seconds 3600, count 1;
> sid:$sid; rev:1;)\n";
>  $sid++;
> }
> close (IN);
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list