Snort mailing list archives
Re: Rule efficiency
From: "Isherwood, Jeffrey - IS" <Jeffrey.Isherwood () itt com>
Date: Mon, 26 Jul 2010 08:42:55 -0400
Yes I did see that snippet of rule... very nice... would that work more efficient than using the "http_header" option with my previous content search of: (content:"crappydomain.com"; Or does the one that you proposed: (content:"|0d 0a|Host\: crappydomain.com|0d 0a|" Work faster or more accurately? I asked the bosses this morning BTW if they wanted http traffic to crappydomain.com or all TCP traffic, and they were unsure... they will be getting back to me. I have a sinking suspicion that they want ALL traffic tho, based upon "looks" I got when I asked the question. If they come back with "Yes we want all TCP traffic headed there" I will need to find a way to look only for traffic headed there instead of simply traffic that contains the term, as the blog posting that points or mentions "crappydomain.com" is setting off my rules with false positives. Jeffrey Isherwood, CISSP, C|EH Computer Security Analyst | Enterprise Protection & Planning Information Systems | Information Protection & Sharing -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Saturday, July 24, 2010 2:16 AM Subject: Re: [Snort-users] Rule efficiency On 7/23/2010 16:12, Isherwood, Jeffrey - IS wrote:
If it turns out that mgmt DOES want just web traffic, the use of the http_header will tell the sensors to stop alerting on the content on pages then correct? I have been getting false positives where a user visits a page with a link or mention of “crappydomain.com” on it and that visit sets off the alert…
this is exactly the false positive i was speaking of... forum pages with discussions about crappydomain.com was one i was thinking... these mailing list posts are another very prominent example ;) did you see my offering where we use content like you are and then include an anchor on the http host header without using the http_header option?
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Rule efficiency, (continued)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type... Castle, Shane (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Jason Haar (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency waldo kitty (Jul 26)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency Alex Tatistcheff (Sep 07)