Re: [Emerging-Sigs] 2012708

[Will Metcalf <william.metcalf () gmail com>]

> Is there some benefit to using the http keyword for these we might miss?

There is a performance benefit... just not with rules comprised
completely of any combination of the following keywords... namely,
http_cookie,
http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.

Regards,

Will


On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
<jonkman () emergingthreatspro com> wrote:
> Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
>
> The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on 
> all platforms?
>
> Is there some benefit to using the http keyword for these we might miss?
>
> Thoughts?
>
> Matt
>
>
> On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
>
> > IMHO this sig should be disabled by default.  Running the ET open
> > rules against some production network captures rich with HTTP, this
> > sig cost the most in terms of total ticks. Signatures comprised
> > completely of keywords ignored by fast_pattern should be avoided.  As
> > an aside, I think I have requested this before but, snort-devs imho
> > you should allow your users more granular control over rule groupings
> > i.e. allow them to optionally/additionally group sigs based on src/dst
> > ip.  There is no reason why this sig should be so expensive in a data
> > set comprised almost entirely of client HTTP requests.  I think the
> > concern was memory consumption, but so what?... memory is cheap! Just
> > my 2 cents...
> >
> > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> > WEB_SERVER HTTP 414 Request URI Too Large";
> > flow:from_server,established; content:"414"; http_stat_code;
> > content:"Request-URI Too Large"; http_stat_msg; nocase;
> > classtype:web-application-attack; sid:2012708; rev:2;)
> >
> > Regards,
> >
> > Will
> >
> > /me goes back to my WAF hole...
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs () emergingthreats net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630 x110
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel