Re: Rule efficiency

[waldo kitty <wkitty42 () windstream net>]

On 7/26/2010 08:42, Isherwood, Jeffrey - IS wrote:
> Yes I did see that snippet of rule... very nice... would that work more efficient than using the "http_header" option 
> with my previous content search of: (content:"crappydomain.com";
>
> Or does the one that you proposed:  (content:"|0d 0a|Host\: crappydomain.com|0d 0a|"
>
> Work faster or more accurately?

i don't know, really... that's one of the things i asked when i posted it ;)

i will say that, for now, in another rules discussion list that i participate 
in, the way i showed is how we do it and that is mainly for compatibility with 
older snort versions...

> I asked the bosses this morning BTW if they wanted http traffic to crappydomain.com or all TCP traffic, and they were 
> unsure... they will be getting back to me.  I have a sinking suspicion that they want ALL traffic tho, based upon 
> "looks" I got when I asked the question.

that is probably what they originally meant but remember, they are bosses and 
that doesn't give them any more insight... especially in this world where all 
too many people think the web and port 80 are "_the_ internet" and they have no 
clue about how everything else works...

> If they come back with "Yes we want all TCP traffic headed there" I will need to find a way to look only for traffic 
> headed there instead of simply traffic that contains the term, as the blog posting that points or mentions 
> "crappydomain.com" is setting off my rules with false positives.

right... that's the FP i mentioned that your rule will cause... it is actually 
doing exactly what you asked but that's not what you meant ;)

a quick question concerning your task... is this concerning sites that you 
host/hosted so you are looking for inbound traffic to them or are these sites 
that the corporate entity has placed "out of bounds" and you are looking for 
outbound traffic to them?

if the sites were hosted and are no longer available, what is the reasoning for 
looking for traffic headed to them? why not just dump the DNS entries for them 
and close up the sites... if they're down, what does it matter that something 
out there is using an old list... hummm... unless maybe they were C&C centers 
and one is now attempting to find the culprit botherder... hummm...

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users