[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS

Matthew Jonkman jonkman at gmail.com
Tue Sep 20 21:02:41 UTC 2011 

On Sep 20, 2011, at 3:51 PM, Darren Spruell wrote:

> Incidentally - how best to use the http proto tag? :)
> 

A lot. That's best. :)

Significant coverage enhancement by using it and "any" as ports. We are catching a LOT more malware this way. 60% or more better than other engines because we just can't write sigs for every off-port http stream that malware uses for other engines. And even if we did, without normalization a bad guy could easily use unicode in a url on an off port, only suricata can get that. 

So the way we use it in ET and ET Pro is essentially anything http is 

"alert http $HOME_NET any -> $EXTERNAL_NET any (flow:to_server,established; … ". 

So works very well. We get malware and all on any port anywhere. AND suri isn't wasting time looking for "GET " or "POST " on every port everywhere. It's only applying http related rules to actual http streams. 

Big performance gain, incredible coverage gain, and a lot less complicated setup for the admin. 

That answer what you were thinking Darren?

Thanks

Matt



> Interested to hear impressions.
> 
> DS
> 
> On Mon, Sep 12, 2011 at 1:44 PM, Matthew Jonkman <jonkman at gmail.com> wrote:
>> Some we do want to limit to http_ports, but more are legacy from prior to us understanding how best to use the http proto tag.
>> 
>> Appreciate the reminder, we'll dig through and get them all to the correct state that are appropriate asap!
>> 
>> Matt
>> 
>> 
>> 
>> On Sep 12, 2011, at 3:56 PM, Darren Spruell wrote:
>> 
>>> There's a number of rules in the Suricata rulesets (ET open, Pro) that
>>> use the following rule header constructs:
>>> 
>>> alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> 
>>> Is it intended to be using 'alert http" together with port-bound
>>> variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
>>> $HOME_NET any' construct although I can see restricting ports for
>>> performance reasons in some cases.
>>> 
>>> --
>>> Darren Spruell
>>> phatbuckett at gmail.com
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> 
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> 
> 
> 
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list