Snort mailing list archives
Re: Feasibility of one off rule
From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 13 Jun 2011 13:56:50 -0600
Thanks for the response gents...appreciate it. Here's a more complete url from my logs: http://web1.51.la:82/go.asp?svid=5&id=3771531&tpages=1&ttimes=10&tzone=-6&tcolor=24&sSize=1680,1050&referrer= http://web1.51.la:82/go.asp?svid=20&id=4123038&tpages=1&ttimes=1&tzone=-7&tcolor=32&sSize=1280,1024&referrer= http://web1.51.la:82/go.asp?svid=5&id=3534164&tpages=1&ttimes=1&tzone=-6&tcolor=32&sSize=1152,864&referrer= Hope that helps. Thanks. James From: Alex Kirk [mailto:akirk () sourcefire com] Sent: Monday, June 13, 2011 10:54 AM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Feasibility of one off rule In principle, probably not a bad idea. In practice, there's a bit of an implementation challenge. The issue is performance. You'd need something to stick in the fast pattern matcher - thus, a fixed string that shouldn't be too common - to make it more than "if I see traffic on these ports, fire", and thus make it not slow. I suppose you wouldn't see "GET" very often on off ports, so that might work; I'd just wonder if there's a more consistent piece of the HTTP headers that's a bit longer than 3 characters that we could expect to be able to use in a rule like this. I don't suppose you've got more data than just the URL in question, do you? On Mon, Jun 13, 2011 at 9:25 AM, Lay, James <james.lay () wincofoods com> wrote: Hey all! Looking through logs today....have come across: http://web1.51.la:82/go.asp Which according to malwaredomains.com is no good. I was wondering if it was feasible or a good idea to even create a rule that would fire on one or two offs from the standard port? I do see that msn.com uses port 81 for an item: http://apnxscm.ac3.msn.com:81/CACMSH.ashx?&t=1 These are all blocked anyway, but eh...was curious if this could be a worthwhile idea. Thanks. James ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Feasibility of one off rule Lay, James (Jun 13)
- Re: Feasibility of one off rule Alex Kirk (Jun 13)
- Re: Feasibility of one off rule Martin Holste (Jun 13)
- Re: Feasibility of one off rule Lay, James (Jun 13)
- Re: Feasibility of one off rule Alex Kirk (Jun 13)