Snort mailing list archives
Re: [Emerging-Sigs] 2012708
From: Steven Sturges <ssturges () sourcefire com>
Date: Tue, 26 Apr 2011 12:40:07 -0400
And a heads up that because it provides no distinct advantage http method will be added to that list in the next release. 99.8% of the time it will be a get or a post that we're searching with the fast pattern. On 4/26/11 12:21 PM, Matt Olney wrote:
This is because http_stat_code doesn't add to the fast_pattern matcher. In this case, since http_stat_code does no nomalization (and therefore the content would be the same in http_header) , I'd recommend the following: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; http_header; nocase; classtype:web-application-attack; sid:2012708; rev:2;) This replaces a nice, fat "Request-URI Too Large" into the fast_pattern, which should improve performance. For further reference, none of the following make entries into the fast_pattern matcher: http cookie, http raw uri, http raw header, http raw cookie, http stat code, http stat msg Matt On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf <william.metcalf () gmail com> wrote:Is there some benefit to using the http keyword for these we might miss?There is a performance benefit... just not with rules comprised completely of any combination of the following keywords... namely, http_cookie, http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg. Regards, Will On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote:Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers. The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms? Is there some benefit to using the http keyword for these we might miss? Thoughts? Matt On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:IMHO this sig should be disabled by default. Running the ET open rules against some production network captures rich with HTTP, this sig cost the most in terms of total ticks. Signatures comprised completely of keywords ignored by fast_pattern should be avoided. As an aside, I think I have requested this before but, snort-devs imho you should allow your users more granular control over rule groupings i.e. allow them to optionally/additionally group sigs based on src/dst ip. There is no reason why this sig should be so expensive in a data set comprised almost entirely of client HTTP requests. I think the concern was memory consumption, but so what?... memory is cheap! Just my 2 cents... alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; http_stat_msg; nocase; classtype:web-application-attack; sid:2012708; rev:2;) Regards, Will /me goes back to my WAF hole... _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matt Olney (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Steven Sturges (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Steven Sturges (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 rmkml (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)