[Snort-users] http content host matching rule optimization

Matt Olney molney at ...1935...
Mon Dec 7 12:05:37 EST 2009


I should be smacked.  I should really not try to fire off quick emails.

I have been appropriately corrected that www.badsite.com won't be in
the uri buffer.  So your original rule was correct, I'd add the caveat
that if you have a particular file or path that is provided, I'd put
that in the uri buffer, for the reasons I had above.

Sorry for the screw up.


On Mon, Dec 7, 2009 at 11:35 AM, Matt Olney <molney at ...1935...> wrote:
> If I understand correctly:
> You get a list of URLs such as:
> www.badsite.com/malware.pl
> This is the rule I'd write:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (Msg: "Mal_URI
> www.badsite.com/malware.pl"; flow: to_server, established;
> content:"www.badsite.com/malware.pl"; http_uri; nocase; sid:
> 23424234;)
> If you want to add thresholding, etc, that's fine.  The important
> difference here is the use of the uri buffer as opposed to the header
> buffer.  This has two advantages:
> 1)  The uri buffer is normalized, so
> www.badsite.com/../../..\../malware.pl will still fire.  The header
> field is not normalized.
> 2)  The uri buffer is smaller, so snort processes less data.
> Hope that helps, let me know if you have more questions,
> Matt
> On Mon, Dec 7, 2009 at 11:22 AM, Greg <j.greg.k at ...11827...> wrote:
>> I am curious if I can optimize this rule any further. I have a Perl
>> script that runs once every few days that takes a manual download from
>> MalwareURL.com and converts the data into a file that I include into
>> the snort config.
>> Since the file is long (around 3k entries) I am trying to minimize the
>> alarms and overhead costs. I figure since I am focusing on the
>> http_header and not the entire payload I gain some efficiency. Also
>> using HTTP_PORTS as defined in snort.conf instead of ANY. I had to
>> create unique SIDS for each URL though so I could use destination
>> tracking to suppress extra hits. I only need to know that the access
>> occurred in snort and then I go to a tshark capture device I built to
>> replay the events to see the details.
>> Below is the script segment that generates all the rules from the data
>> file. Is this the most efficient? Is there a better way?
>> -Thanks
>> Greg
>> while (<IN>) {
>>  chomp ($_);
>>  print "alert tcp \$HOME_NET any -> \$EXTERNAL_NET \$HTTP_PORTS
>> (msg:\"MalURL $_\"; flow:from_client; content:\"$_\"; http_header;
>> nocase; threshold: type limit, track by_dst, seconds 3600, count 1;
>> sid:$sid; rev:1;)\n";
>>  $sid++;
>> }
>> close (IN);
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list