Snort mailing list archives
Re: Rule efficiency
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 23 Jul 2010 15:16:14 -0400
On 7/23/2010 13:56, Alex Kirk wrote:
Meanwhile, let me give you some thoughts on these rules in particular. If you're looking for HTTP access, as I would guess based on your fictional names, you'll need to specify the http_header keyword to go along with those contents for Snort 2.8.6 and beyond - since hostnames appear in HTTP headers, and you need that keyword to make Snort look there.
really? so this information will no longer be available in the normal buffer at all???
Additionally, you might consider switching these over to be rules that look for DNS queries to the domains in question (assuming you're confident this is not bot-generated traffic that's going off of an internal hosts file) - such rules are almost as easy to write,
i was going to suggest something similar, we well...
and there's *way* less UDP traffic to inspect than HTTP, which will help improve your overall performance pretty dramatically.
hummm... i wonder how this format would flesh out on the efficiency scale?? alert tcp any any -> any any (content:"|0d 0a|Host\: crappydomain.com|0d 0a|"; nocase; priority:1; msg:"suspicious domain traffic alert crappydomain.com"; classtype:string-detect; sid:1000340; gid:1; rev:1; ) it at least anchors on the Host header keyword without using anything else... this also prevents it from firing on messages that are just talking about crappydomain.com ;)
Oh, and to anyone reading this: I almost top-posted, but then I decided not to kill a kitten. ;-)
awww... Death likes kittens... he loves them, in fact ;) http://www.wpusa.dynip.com/wpusa_images/Death_with_kittens.jpg ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type..., (continued)
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type... Castle, Shane (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Jason Haar (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency waldo kitty (Jul 26)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency Alex Tatistcheff (Sep 07)