[Snort-devel] Re: False positives with misc.rules

Martin Roesch roesch at ...402...
Sun Aug 11 17:49:02 EDT 2002


The packet has the string "200" at offset 0x01d0 and the rest of the
conditions of the rule have been met.  It looks to me as if the author of
the rule wanted to constrain the rule to looking for the string at the
beginning of the packet payload.  That being the case, it should have been
written like this:

alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer
overflow attempt"; content:"200 "; offset:0; depth: 3; dsize:>100;
reference:bugtraq,4900; classtype:protocol-command-decode; sid:1792; rev:3;)

I'll touch up the rule...

     -Marty


On 8/10/02 4:22 PM, "Juha Laiho" <Juha.Laiho at ...912...> wrote:

> snort version 1.8.7 (from snort-1.8.7-1snort.rpm).
> 
> It seems I'm getting false alerts from one of the NNTP checks in
> misc.rules -- namely:
> 08/10-22:48:19.434211  [**] [1:1792:3] NNTP return code buffer overflow
> attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
> {TCP} xxx.xxx.xxx.xxx:119 -> xxx.xxx.xxx.xxx:42699
> 
> ...where the packet triggering this was:
> 22:48:19.434211 xxx.xxx.xxx.xxx.119 > xxx.xxx.xxx.xxx.42699: P
> 26318:27093(775) ack 1193 win 10136 <nop,nop,timestamp 929902411 346167820>
> (DF)
> 0x0000     4500 033b 9318 4000 fb06 13f4 c059 7be9    E..;.. at ...1536...{.
> 0x0010     50de 488f 0077 a6cb fc47 e545 5a76 f59c    P.H..w...G.EZv..
> 0x0020     8018 2798 c6c5 0000 0101 080a 376d 2f4b    ..'.........7m/K
> 0x0030     14a2 1a0c 3232 3220 3020 3c54 3265 3539    ....222.0.<T2e59
> 0x0040     2e34 3539 3624 454c 362e 3438 3138 3440    .4596$EL6.48184@
> 0x0050     6e65 7773 2e6b 706e 7177 6573 742e 6669    news.kpnqwest.fi
> 0x0060     3e0d 0a4d 696e 756c 6c61 206f 6e20 504f    >..Minulla.on.PO
> 0x0070     4d49 2033 3530 6d48 7a20 6b6f 6e65 656e    MI.350mHz.koneen
> 0x0080     206d 756b 616e 6120 7475 6c6c 7574 2047    .mukana.tullut.G
> 0x0090     412d 3638 3642 582d 656d 6f6c 6576 7920    A-686BX-emolevy.
> 0x00a0     280d 0a68 7474 703a 2f2f 7777 772e 6769    (..http://www.gi
> 0x00b0     6761 6279 7465 2e63 6f6d 2e74 772f 7072    gabyte.com.tw/pr
> 0x00c0     6f64 7563 7473 2f67 6136 3836 6278 2e68    oducts/ga686bx.h
> 0x00d0     746d 2029 206f 6c65 6e20 6d69 6574 7469    tm.).olen.mietti
> 0x00e0     6e79 7420 7575 6465 6e0d 0a70 726f 7365    nyt.uuden..prose
> 0x00f0     7373 6f72 696e 206f 7374 616d 6973 7461    ssorin.ostamista
> 0x0100     206b 6f6e 6565 6e69 206e 6f70 6575 7474    .koneeni.nopeutt
> 0x0110     616d 6973 656b 7369 2c20 6d75 7474 6120    amiseksi,.mutta.
> 0x0120     6b6f 736b 6120 656e 2074 616a 7561 0d0a    koska.en.tajua..
> 0x0130     7072 6f73 6573 736f 7265 6964 656e 2065    prosessoreiden.e
> 0x0140     726f 6973 7461 206a 6120 6e69 6964 656e    roista.ja.niiden
> 0x0150     2079 6874 6565 6e73 6f70 6976 7575 6465    .yhteensopivuude
> 0x0160     7374 6120 656d 6f6c 6576 796e 6920 6b61    sta.emolevyni.ka
> 0x0170     6e73 7361 2c20 6e69 696e 0d0a 616a 6174    nssa,.niin..ajat
> 0x0180     7465 6c69 6e20 6b79 7379 e420 6170 7561    telin.kysy..apua
> 0x0190     2e0d 0a4f 686a 656b 6972 6a61 7373 6120    ...Ohjekirjassa.
> 0x01a0     7361 6e6f 7461 616e 2065 7474 e420 656d    sanotaan.ett..em
> 0x01b0     6f20 7475 6b65 6520 5065 6e74 6975 6d20    o.tukee.Pentium.
> 0x01c0     4949 2070 726f 7365 7373 6f72 656a 6120    II.prosessoreja.
> 0x01d0     3230 302d 3633 336d 487a 0d0a 76e4 6c69    200-633mHz..v.li
> 0x01e0     6c74 e42c 206d 7574 7461 206f 6c65 6e20    lt.,.mutta.olen.
> 0x01f0     6b75 756c 6c75 7420 6574 74e4 206f 6c69    kuullut.ett..oli
> 0x0200     7369 206f 6c65 6d61 7373 6120 6164 6170    si.olemassa.adap
> 0x0210     7465 7265 6974 612c 206a 6f69 6c6c 610d    tereita,.joilla.
> 0x0220     0a65 7369 6d65 726b 696b 7369 2073 6169    .esimerkiksi.sai
> 0x0230     7369 6e20 6b6f 6e65 6573 6565 6e69 206b    sin.koneeseeni.k
> 0x0240     6969 6e6e 6920 796c 6920 3167 487a 2043    iinni.yli.1gHz.C
> 0x0250     656c 6572 6f6e 696e 3f20 4b75 696e 6b61    eleronin?.Kuinka
> 0x0260     2070 616c 6a6f 6e20 6ee4 6de4 0d0a 6164    .paljon.n.m...ad
> 0x0270     6170 7465 7269 7420 6d61 6b73 6176 6174    apterit.maksavat
> 0x0280     206a 6120 6d69 6be4 206f 6c69 7369 2070    .ja.mik..olisi.p
> 0x0290     6172 6173 2028 6869 6e74 612f 6c61 6174    aras.(hinta/laat
> 0x02a0     752f 6e6f 7065 7573 7375 6864 6529 2074    u/nopeussuhde).t
> 0x02b0     e46c 6ce4 0d0a 6865 746b 656c 6ce4 206a    .ll...hetkell..j
> 0x02c0     6f73 2072 6168 6161 206f 6e20 6b6f 6b6f    os.rahaa.on.koko
> 0x02d0     6e61 6973 7575 6465 7373 6161 6e20 3230    naisuudessaan.20
> 0x02e0     3020 6575 726f 6120 2870 726f 7365 7373    0.euroa.(prosess
> 0x02f0     6f72 6920 6a61 2061 6461 7074 6572 6929    ori.ja.adapteri)
> 0x0300     2e0d 0a0d 0a4b 6969 746f 7320 6a6f 2065    .....Kiitos.jo.e
> 0x0310     7475 6be4 7465 656e 2074 6965 646f 6973    tuk.teen.tiedois
> 0x0320     7461 206a 6120 6176 7573 7461 2e0d 0a0d    ta.ja.avusta....
> 0x0330     0a4d 0d0a 0d0a 0d0a 2e0d 0a                .M.........
> 
> and the rule is:
> alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer
> overflow attempt"; content:"200 "; offset:0; dsize:>100;
> reference:bugtraq,4900; classtype:protocol-command-decode; sid:1792; rev:3;)
> 
> 
> Ok, the packet is from port 119. It does contain "200 ". It is long.
> But still it is legit -- and I'm getting a lot of these.
> Is there any possibility to improve the rule?

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list