[Oisf-users] Suricata 'alert http' rules using $HTTP_PORTS
Matthew Jonkman
jonkman at gmail.com
Tue Sep 20 21:02:41 UTC 2011
On Sep 20, 2011, at 3:51 PM, Darren Spruell wrote:
> Incidentally - how best to use the http proto tag? :)
>
A lot. That's best. :)
Significant coverage enhancement by using it and "any" as ports. We are catching a LOT more malware this way. 60% or more better than other engines because we just can't write sigs for every off-port http stream that malware uses for other engines. And even if we did, without normalization a bad guy could easily use unicode in a url on an off port, only suricata can get that.
So the way we use it in ET and ET Pro is essentially anything http is
"alert http $HOME_NET any -> $EXTERNAL_NET any (flow:to_server,established; … ".
So works very well. We get malware and all on any port anywhere. AND suri isn't wasting time looking for "GET " or "POST " on every port everywhere. It's only applying http related rules to actual http streams.
Big performance gain, incredible coverage gain, and a lot less complicated setup for the admin.
That answer what you were thinking Darren?
Thanks
Matt
> Interested to hear impressions.
>
> DS
>
> On Mon, Sep 12, 2011 at 1:44 PM, Matthew Jonkman <jonkman at gmail.com> wrote:
>> Some we do want to limit to http_ports, but more are legacy from prior to us understanding how best to use the http proto tag.
>>
>> Appreciate the reminder, we'll dig through and get them all to the correct state that are appropriate asap!
>>
>> Matt
>>
>>
>>
>> On Sep 12, 2011, at 3:56 PM, Darren Spruell wrote:
>>
>>> There's a number of rules in the Suricata rulesets (ET open, Pro) that
>>> use the following rule header constructs:
>>>
>>> alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>>
>>> Is it intended to be using 'alert http" together with port-bound
>>> variables? I'd expect more of the 'alert http $EXTERNAL_NET any ->
>>> $HOME_NET any' construct although I can see restricting ports for
>>> performance reasons in some cases.
>>>
>>> --
>>> Darren Spruell
>>> phatbuckett at gmail.com
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>>
>
>
>
> --
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list