Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule efficiency

From: "Isherwood, Jeffrey - IS" <Jeffrey.Isherwood () itt com>
Date: Mon, 26 Jul 2010 08:42:55 -0400
Yes I did see that snippet of rule... very nice... would that work more efficient than using the "http_header" option 
with my previous content search of: (content:"crappydomain.com";

Or does the one that you proposed:  (content:"|0d 0a|Host\: crappydomain.com|0d 0a|"

Work faster or more accurately?

I asked the bosses this morning BTW if they wanted http traffic to crappydomain.com or all TCP traffic, and they were 
unsure... they will be getting back to me.  I have a sinking suspicion that they want ALL traffic tho, based upon 
"looks" I got when I asked the question.

If they come back with "Yes we want all TCP traffic headed there" I will need to find a way to look only for traffic 
headed there instead of simply traffic that contains the term, as the blog posting that points or mentions 
"crappydomain.com" is setting off my rules with false positives.


Jeffrey Isherwood, CISSP, C|EH
Computer Security Analyst | Enterprise Protection & Planning
Information Systems | Information Protection & Sharing

-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net]
Sent: Saturday, July 24, 2010 2:16 AM
Subject: Re: [Snort-users] Rule efficiency

On 7/23/2010 16:12, Isherwood, Jeffrey - IS wrote:

If it turns out that mgmt DOES want just web traffic, the use of the
http_header will tell the sensors to stop alerting on the content on
pages then correct? I have been getting false positives where a user
visits a page with a link or mention of “crappydomain.com” on it and
that visit sets off the alert…



this is exactly the false positive i was speaking of... forum pages with discussions
about crappydomain.com was one i was thinking... these mailing list posts are another
very prominent example ;)

did you see my offering where we use content like you are and then include an anchor
on the http host header without using the http_header option?


This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual 
or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily 
represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of 
viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: