Snort mailing list archives
Re: http content host matching rule optimization
From: Matt Olney <molney () sourcefire com>
Date: Mon, 7 Dec 2009 11:35:35 -0500
If I understand correctly: You get a list of URLs such as: www.badsite.com/malware.pl This is the rule I'd write: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (Msg: "Mal_URI www.badsite.com/malware.pl"; flow: to_server, established; content:"www.badsite.com/malware.pl"; http_uri; nocase; sid: 23424234;) If you want to add thresholding, etc, that's fine. The important difference here is the use of the uri buffer as opposed to the header buffer. This has two advantages: 1) The uri buffer is normalized, so www.badsite.com/../../..\../malware.pl will still fire. The header field is not normalized. 2) The uri buffer is smaller, so snort processes less data. Hope that helps, let me know if you have more questions, Matt On Mon, Dec 7, 2009 at 11:22 AM, Greg <j.greg.k () gmail com> wrote:
I am curious if I can optimize this rule any further. I have a Perl script that runs once every few days that takes a manual download from MalwareURL.com and converts the data into a file that I include into the snort config. Since the file is long (around 3k entries) I am trying to minimize the alarms and overhead costs. I figure since I am focusing on the http_header and not the entire payload I gain some efficiency. Also using HTTP_PORTS as defined in snort.conf instead of ANY. I had to create unique SIDS for each URL though so I could use destination tracking to suppress extra hits. I only need to know that the access occurred in snort and then I go to a tshark capture device I built to replay the events to see the details. Below is the script segment that generates all the rules from the data file. Is this the most efficient? Is there a better way? -Thanks Greg while (<IN>) { chomp ($_); print "alert tcp \$HOME_NET any -> \$EXTERNAL_NET \$HTTP_PORTS (msg:\"MalURL $_\"; flow:from_client; content:\"$_\"; http_header; nocase; threshold: type limit, track by_dst, seconds 3600, count 1; sid:$sid; rev:1;)\n"; $sid++; } close (IN); ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http content host matching rule optimization Greg (Dec 07)
- Re: http content host matching rule optimization Matt Olney (Dec 07)
- Re: http content host matching rule optimization Matt Olney (Dec 07)
- Re: http content host matching rule optimization Matt Olney (Dec 07)