[Snort-sigs] false positives for attack-response rules (and suggested fix)

From: Milani Paolo <Paolo.Milani(at)TILAB.COM>
Date: Fri Mar 19 2004 - 07:56:10 EST

Hello,

concerning sids 1292:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown; sid:1292; rev:7;)

and 1882:

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; distance:0; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:9;)

In some environments it can be normal to have telnet traffic in the network (not in very safe environments, I know). In which case these rules will fp a lot.

My suggestion is to change src port to !23 (or !$TELNET_PORTS).

This will not make environments where telnet traffic is not allowed less safe, I think, since telnet traffic is already detected with specific signatures.

my 2 cents,
Paolo Milani

---

CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to MailAdmin@tilab.com. Thank you

---

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&opick

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Mar 19 09:00:41 2004