On Mon, 21 Mar 2005, Ofer Shezaf wrote:
The problem is that rm is one of a very long list of commands, and that
pcre is very expensive performance wise.
Even prefixing with a "uricontent" operator does not help much as two
letter words tend to crop up a lot (and it probably should be "content"
and not "uricontent" as rm could very well injected in a parameter
value).
So?
Write code better; Configure the server better; use application layer
security tools; but don't try to catch application layer issues such as
command or SQL injection with Snort.
I generally agree: performance, accuracy and specificity need to be weighed
for every sig. It's unfortunate that 'uricontent' is blind to POST'd
parameters, and similarly that 'content' understands no encoding, wherever it
occurs. IDS isn't a silver bullet, so don't let it be your only bullet.
However, you do still shoot the bullet. :) I'd temper your last remark --
after all, http_inspect *is* application layer smarts, however limited, inside
Snort. Comprehensive and perfect? No. Useful? Certainly.
Regards,
Mike
--
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
