Snort mailing list archives
Re: Performance Question - content vs uricontent
From: Matt Olney <molney () sourcefire com>
Date: Fri, 30 Jan 2009 13:07:23 -0500
URICONTENT is the prefered method for a pair of reasons: 1) You're looking at a smaller set of data, so your match (or lack thereof) will be faster 2) You're looking at a specific set of data (the URI) so your match (orlack thereof) will be more accurate and less prone to false positives. Also, some other notes: 1) Your "POST" match would not be in uricontent. 2) Your depth 69 is evadable by ../../../../.. tricks, as content isn't normalized for URI traffic. Also, if you're going to write a rule requiring POST, upgrad to snort 2.8.3 and use the http_method modifier, and look simply for POST. Same arguments as the top....faster and more accurate. Hopefully something in there answered your question. Matt On Fri, Jan 30, 2009 at 12:16 PM, dxp <dxp2532 () gmail com> wrote:
The following snippet was taken from Emerging Threats mailing list discussion regarding optimizing one of the rules. Can someone here shed some light into this? --- snip --- by Martin Holste but academically speaking, can anyone say which is theoretically less load? For instance, in the below example, which would be faster: content:"POST "; depth:5; content:"/forms.cgi"; within:64; (or some other smallish integer to keep from scanning the entire flow) or content:"/forms.cgi HTTP"; depth:69; or does uricontent beat them both? --- snip --- - -=[ dxp ]=- 0xA3F3C6E3 ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance Question - content vs uricontent dxp (Jan 30)
- Re: Performance Question - content vs uricontent Matt Olney (Jan 30)