Snort mailing list archives
Re: Feasibility of one off rule
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 13 Jun 2011 09:53:40 -0700
In principle, probably not a bad idea. In practice, there's a bit of an implementation challenge. The issue is performance. You'd need something to stick in the fast pattern matcher - thus, a fixed string that shouldn't be too common - to make it more than "if I see traffic on these ports, fire", and thus make it not slow. I suppose you would't see "GET" very often on off ports, so that might work; I'd just wonder if there's a more consistent piece of the HTTP headers that's a bit longer than 3 characters that we could expect to be able to use in a rule like this. I don't suppose you've got more data than just the URL in question, do you? On Mon, Jun 13, 2011 at 9:25 AM, Lay, James <james.lay () wincofoods com>wrote:
Hey all! Looking through logs today....have come across: http://web1.51.la:82/go.asp Which according to malwaredomains.com is no good. I was wondering if it was feasible or a good idea to even create a rule that would fire on one or two offs from the standard port? I do see that msn.com uses port 81 for an item: http://apnxscm.ac3.msn.com:81/CACMSH.ashx?&t=1 These are all blocked anyway, but eh...was curious if this could be a worthwhile idea. Thanks. James ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Feasibility of one off rule Lay, James (Jun 13)
- Re: Feasibility of one off rule Alex Kirk (Jun 13)
- Re: Feasibility of one off rule Martin Holste (Jun 13)
- Re: Feasibility of one off rule Lay, James (Jun 13)
- Re: Feasibility of one off rule Alex Kirk (Jun 13)