Re: [Emerging-Sigs] 2012708

[Matthew Jonkman <jonkman () emergingthreatspro com>]

So I'll make them no http+* at all for current snorts then. Note, no change to the previous snort's rules.

Thanks!!

Matt


On Apr 26, 2011, at 1:10 PM, rmkml wrote:

> Hi,
> Confirm it, no match with http_header.
> Regards
> Rmkml
>
>
> On Tue, 26 Apr 2011, Will Metcalf wrote:
>
> > I don't think that the status-line is include in the http_header
> > buffer correct?  I think your modification will cause this sig not to
> > fire.
> >
> > HTTP/1.1 414 Request URI Too Large
> > Date: Mon, 25 Apr 2011 18:55:13 GMT
> > Server: Apache/2.2.14 (Ubuntu)
> > Vary: Accept-Encoding
> > Content-Encoding: gzip
> > Content-Length: 249
> > Content-Type: text/html; charset=iso-8859-1
> >
> > Regards,
> >
> > Will
> >
> > On Tue, Apr 26, 2011 at 11:21 AM, Matt Olney <molney () sourcefire com> wrote:
> > > This is because http_stat_code doesn't add to the fast_pattern
> > > matcher.  In this case, since http_stat_code does no nomalization (and
> > > therefore the content would be the same in http_header) , I'd
> > > recommend the following:
> > > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> > > WEB_SERVER HTTP 414 Request URI Too Large";
> > > flow:from_server,established; content:"414"; http_stat_code;
> > > content:"Request-URI Too Large"; http_header; nocase;
> > > classtype:web-application-attack; sid:2012708; rev:2;)
> > >
> > > This replaces a nice, fat "Request-URI Too Large" into the
> > > fast_pattern, which should improve performance.
> > >
> > > For further reference, none of the following make entries into the
> > > fast_pattern matcher:
> > > http cookie, http raw uri, http raw header, http raw cookie, http stat
> > > code, http stat msg
> > >
> > > Matt
> > >
> > > On Tue, Apr 26, 2011 at 11:14 AM, Will Metcalf
> > > <william.metcalf () gmail com> wrote:
> > > > > Is there some benefit to using the http keyword for these we might miss?
> > > >
> > > > There is a performance benefit... just not with rules comprised
> > > > completely of any combination of the following keywords... namely,
> > > > http_cookie,
> > > > http_raw_uri, http_raw_header, http_raw_cookie, http_stat_code, http_stat_msg.
> > > >
> > > > Regards,
> > > >
> > > > Will
> > > >
> > > >
> > > > On Tue, Apr 26, 2011 at 10:09 AM, Matthew Jonkman
> > > > <jonkman () emergingthreatspro com> wrote:
> > > > > Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers.
> > > > >
> > > > > The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions 
> > > > > on all platforms?
> > > > >
> > > > > Is there some benefit to using the http keyword for these we might miss?
> > > > >
> > > > > Thoughts?
> > > > >
> > > > > Matt
> > > > >
> > > > >
> > > > > On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
> > > > >
> > > > > > IMHO this sig should be disabled by default.  Running the ET open
> > > > > > rules against some production network captures rich with HTTP, this
> > > > > > sig cost the most in terms of total ticks. Signatures comprised
> > > > > > completely of keywords ignored by fast_pattern should be avoided.  As
> > > > > > an aside, I think I have requested this before but, snort-devs imho
> > > > > > you should allow your users more granular control over rule groupings
> > > > > > i.e. allow them to optionally/additionally group sigs based on src/dst
> > > > > > ip.  There is no reason why this sig should be so expensive in a data
> > > > > > set comprised almost entirely of client HTTP requests.  I think the
> > > > > > concern was memory consumption, but so what?... memory is cheap! Just
> > > > > > my 2 cents...
> > > > > >
> > > > > > alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> > > > > > WEB_SERVER HTTP 414 Request URI Too Large";
> > > > > > flow:from_server,established; content:"414"; http_stat_code;
> > > > > > content:"Request-URI Too Large"; http_stat_msg; nocase;
> > > > > > classtype:web-application-attack; sid:2012708; rev:2;)
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Will
> > > > > >
> > > > > > /me goes back to my WAF hole...
> > > > > > _______________________________________________
> > > > > > Emerging-sigs mailing list
> > > > > > Emerging-sigs () emergingthreats net
> > > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > > > > >
> > > > > > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> > > > > > The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> > > > >
> > > > >
> > > > > ----------------------------------------------------
> > > > > Matthew Jonkman
> > > > > Emergingthreats.net
> > > > > Emerging Threats Pro
> > > > > Open Information Security Foundation (OISF)
> > > > > Phone 765-807-8630 x110
> > > > > Fax 312-264-0205
> > > > > http://www.emergingthreatspro.com
> > > > > http://www.openinfosecfoundation.org
> > > > > ----------------------------------------------------
> > > > >
> > > > > PGP: http://www.jonkmans.com/mattjonkman.asc
> > > >
> > > > ------------------------------------------------------------------------------
> > > > WhatsUp Gold - Download Free Network Management Software
> > > > The most intuitive, comprehensive, and cost-effective network
> > > > management toolset available today.  Delivers lowest initial
> > > > acquisition cost and overall TCO of any competing solution.
> > > > http://p.sf.net/sfu/whatsupgold-sd
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel () lists sourceforge net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> > ------------------------------------------------------------------------------
> > WhatsUp Gold - Download Free Network Management Software
> > The most intuitive, comprehensive, and cost-effective network
> > management toolset available today.  Delivers lowest initial
> > acquisition cost and overall TCO of any competing solution.
> > http://p.sf.net/sfu/whatsupgold-sd
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network 
> management toolset available today.  Delivers lowest initial 
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd_______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel