Snort mailing list archives
Re: [Emerging-Sigs] 2012708
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Tue, 26 Apr 2011 11:09:28 -0400
Yes, this rule is horrid. All of the ones we use the http_stat_msg and similar on are really poor performers. The sig versions for previous versions of snort perform much better. Perhaps we should just use the old versions on all platforms? Is there some benefit to using the http keyword for these we might miss? Thoughts? Matt On Apr 26, 2011, at 11:04 AM, Will Metcalf wrote:
IMHO this sig should be disabled by default. Running the ET open rules against some production network captures rich with HTTP, this sig cost the most in terms of total ticks. Signatures comprised completely of keywords ignored by fast_pattern should be avoided. As an aside, I think I have requested this before but, snort-devs imho you should allow your users more granular control over rule groupings i.e. allow them to optionally/additionally group sigs based on src/dst ip. There is no reason why this sig should be so expensive in a data set comprised almost entirely of client HTTP requests. I think the concern was memory consumption, but so what?... memory is cheap! Just my 2 cents... alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; http_stat_msg; nocase; classtype:web-application-attack; sid:2012708; rev:2;) Regards, Will /me goes back to my WAF hole... _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matt Olney (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Steven Sturges (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Steven Sturges (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 Will Metcalf (Apr 26)
- Re: [Emerging-Sigs] 2012708 rmkml (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)
- Re: [Emerging-Sigs] 2012708 Matthew Jonkman (Apr 26)