Snort mailing list archives
2012708
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 26 Apr 2011 10:04:44 -0500
IMHO this sig should be disabled by default. Running the ET open rules against some production network captures rich with HTTP, this sig cost the most in terms of total ticks. Signatures comprised completely of keywords ignored by fast_pattern should be avoided. As an aside, I think I have requested this before but, snort-devs imho you should allow your users more granular control over rule groupings i.e. allow them to optionally/additionally group sigs based on src/dst ip. There is no reason why this sig should be so expensive in a data set comprised almost entirely of client HTTP requests. I think the concern was memory consumption, but so what?... memory is cheap! Just my 2 cents... alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; http_stat_msg; nocase; classtype:web-application-attack; sid:2012708; rev:2;) Regards, Will /me goes back to my WAF hole... ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matt Olney (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Steven Sturges (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Steven Sturges (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 rmkml (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)