[Snort-devel] False positives with misc.rules

Juha Laiho Juha.Laiho at ...912...
Sun Aug 11 17:49:01 EDT 2002


snort version 1.8.7 (from snort-1.8.7-1snort.rpm).

It seems I'm getting false alerts from one of the NNTP checks in
misc.rules -- namely:
08/10-22:48:19.434211  [**] [1:1792:3] NNTP return code buffer overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:119 -> xxx.xxx.xxx.xxx:42699

...where the packet triggering this was:
22:48:19.434211 xxx.xxx.xxx.xxx.119 > xxx.xxx.xxx.xxx.42699: P 26318:27093(775) ack 1193 win 10136 <nop,nop,timestamp 929902411 346167820> (DF)
0x0000	 4500 033b 9318 4000 fb06 13f4 c059 7be9	E..;.. at ...1536...{.
0x0010	 50de 488f 0077 a6cb fc47 e545 5a76 f59c	P.H..w...G.EZv..
0x0020	 8018 2798 c6c5 0000 0101 080a 376d 2f4b	..'.........7m/K
0x0030	 14a2 1a0c 3232 3220 3020 3c54 3265 3539	....222.0.<T2e59
0x0040	 2e34 3539 3624 454c 362e 3438 3138 3440	.4596$EL6.48184@
0x0050	 6e65 7773 2e6b 706e 7177 6573 742e 6669	news.kpnqwest.fi
0x0060	 3e0d 0a4d 696e 756c 6c61 206f 6e20 504f	>..Minulla.on.PO
0x0070	 4d49 2033 3530 6d48 7a20 6b6f 6e65 656e	MI.350mHz.koneen
0x0080	 206d 756b 616e 6120 7475 6c6c 7574 2047	.mukana.tullut.G
0x0090	 412d 3638 3642 582d 656d 6f6c 6576 7920	A-686BX-emolevy.
0x00a0	 280d 0a68 7474 703a 2f2f 7777 772e 6769	(..http://www.gi
0x00b0	 6761 6279 7465 2e63 6f6d 2e74 772f 7072	gabyte.com.tw/pr
0x00c0	 6f64 7563 7473 2f67 6136 3836 6278 2e68	oducts/ga686bx.h
0x00d0	 746d 2029 206f 6c65 6e20 6d69 6574 7469	tm.).olen.mietti
0x00e0	 6e79 7420 7575 6465 6e0d 0a70 726f 7365	nyt.uuden..prose
0x00f0	 7373 6f72 696e 206f 7374 616d 6973 7461	ssorin.ostamista
0x0100	 206b 6f6e 6565 6e69 206e 6f70 6575 7474	.koneeni.nopeutt
0x0110	 616d 6973 656b 7369 2c20 6d75 7474 6120	amiseksi,.mutta.
0x0120	 6b6f 736b 6120 656e 2074 616a 7561 0d0a	koska.en.tajua..
0x0130	 7072 6f73 6573 736f 7265 6964 656e 2065	prosessoreiden.e
0x0140	 726f 6973 7461 206a 6120 6e69 6964 656e	roista.ja.niiden
0x0150	 2079 6874 6565 6e73 6f70 6976 7575 6465	.yhteensopivuude
0x0160	 7374 6120 656d 6f6c 6576 796e 6920 6b61	sta.emolevyni.ka
0x0170	 6e73 7361 2c20 6e69 696e 0d0a 616a 6174	nssa,.niin..ajat
0x0180	 7465 6c69 6e20 6b79 7379 e420 6170 7561	telin.kysy..apua
0x0190	 2e0d 0a4f 686a 656b 6972 6a61 7373 6120	...Ohjekirjassa.
0x01a0	 7361 6e6f 7461 616e 2065 7474 e420 656d	sanotaan.ett..em
0x01b0	 6f20 7475 6b65 6520 5065 6e74 6975 6d20	o.tukee.Pentium.
0x01c0	 4949 2070 726f 7365 7373 6f72 656a 6120	II.prosessoreja.
0x01d0	 3230 302d 3633 336d 487a 0d0a 76e4 6c69	200-633mHz..v.li
0x01e0	 6c74 e42c 206d 7574 7461 206f 6c65 6e20	lt.,.mutta.olen.
0x01f0	 6b75 756c 6c75 7420 6574 74e4 206f 6c69	kuullut.ett..oli
0x0200	 7369 206f 6c65 6d61 7373 6120 6164 6170	si.olemassa.adap
0x0210	 7465 7265 6974 612c 206a 6f69 6c6c 610d	tereita,.joilla.
0x0220	 0a65 7369 6d65 726b 696b 7369 2073 6169	.esimerkiksi.sai
0x0230	 7369 6e20 6b6f 6e65 6573 6565 6e69 206b	sin.koneeseeni.k
0x0240	 6969 6e6e 6920 796c 6920 3167 487a 2043	iinni.yli.1gHz.C
0x0250	 656c 6572 6f6e 696e 3f20 4b75 696e 6b61	eleronin?.Kuinka
0x0260	 2070 616c 6a6f 6e20 6ee4 6de4 0d0a 6164	.paljon.n.m...ad
0x0270	 6170 7465 7269 7420 6d61 6b73 6176 6174	apterit.maksavat
0x0280	 206a 6120 6d69 6be4 206f 6c69 7369 2070	.ja.mik..olisi.p
0x0290	 6172 6173 2028 6869 6e74 612f 6c61 6174	aras.(hinta/laat
0x02a0	 752f 6e6f 7065 7573 7375 6864 6529 2074	u/nopeussuhde).t
0x02b0	 e46c 6ce4 0d0a 6865 746b 656c 6ce4 206a	.ll...hetkell..j
0x02c0	 6f73 2072 6168 6161 206f 6e20 6b6f 6b6f	os.rahaa.on.koko
0x02d0	 6e61 6973 7575 6465 7373 6161 6e20 3230	naisuudessaan.20
0x02e0	 3020 6575 726f 6120 2870 726f 7365 7373	0.euroa.(prosess
0x02f0	 6f72 6920 6a61 2061 6461 7074 6572 6929	ori.ja.adapteri)
0x0300	 2e0d 0a0d 0a4b 6969 746f 7320 6a6f 2065	.....Kiitos.jo.e
0x0310	 7475 6be4 7465 656e 2074 6965 646f 6973	tuk.teen.tiedois
0x0320	 7461 206a 6120 6176 7573 7461 2e0d 0a0d	ta.ja.avusta....
0x0330	 0a4d 0d0a 0d0a 0d0a 2e0d 0a            	.M.........

and the rule is:
alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; content:"200 "; offset:0; dsize:>100; reference:bugtraq,4900; classtype:protocol-command-decode; sid:1792; rev:3;)


Ok, the packet is from port 119. It does contain "200 ". It is long.
But still it is legit -- and I'm getting a lot of these.
Is there any possibility to improve the rule?
-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)






More information about the Snort-devel mailing list