2012708

[Will Metcalf <william.metcalf () gmail com>]

IMHO this sig should be disabled by default.  Running the ET open
rules against some production network captures rich with HTTP, this
sig cost the most in terms of total ticks. Signatures comprised
completely of keywords ignored by fast_pattern should be avoided.  As
an aside, I think I have requested this before but, snort-devs imho
you should allow your users more granular control over rule groupings
i.e. allow them to optionally/additionally group sigs based on src/dst
ip.  There is no reason why this sig should be so expensive in a data
set comprised almost entirely of client HTTP requests.  I think the
concern was memory consumption, but so what?... memory is cheap! Just
my 2 cents...

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
WEB_SERVER HTTP 414 Request URI Too Large";
flow:from_server,established; content:"414"; http_stat_code;
content:"Request-URI Too Large"; http_stat_msg; nocase;
classtype:web-application-attack; sid:2012708; rev:2;)

Regards,

Will

/me goes back to my WAF hole...

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel