[Snort-sigs] Why not the otherway around??

Chris Green cmg at ...26...
Wed Oct 17 09:01:19 EDT 2001

Edwin Eefting <edwin at ...149...> writes:

> Chris Green wrote:
> > 
> Yes, it's great for investigation. (i currently use a modified version
> of demarc) But the cmd.exe and alike rules fill up our database to
> 200,000 events or more in a couple of days. :-)

Yes I understand the data management problems.  Thats why I pretty much
live off of alerts + binary captures + snortsnarf.

> Offcourse, but the network i'm monitoring is already existing and may
> contain some hosts that are already infected. Some of the hosts are ADSL
> connections for normal homeuse, and we also want to be alerted if these
> people are infected in someway.

I'm glad to hear it.  It took a long time to get a lot of ISPs

>> We probably should try and add a lot more "outgoing rules" to the
>> default ruleset to make life easier on people.
> That's where I'm waiting for :)
>> >
>> > This rule almost never generates false positives and should be able to
>> > detect infected servers.
>> Save for one of cnet's business channels that created a false positves
>> has a cgi named "admin-cmd.exe" or something like that.  Complained to
>> the address on the webpage it came up on and bounced around for a
>> while but I Don't think they ever renamed it.
>> To lower this type of false positive rate, I have thought about
>> creating something like "passcontent: admin_cmd.exe" that would work
>> after a rule is going to be decalred successful and work at a certain
>> depth/offset ( preferably with lots of knowledge about the previous
>> content rule so that it doesn't create a gaping hole in your ruleset
>> that easily ).

> can't you use the dynamic rules for this? (they don't seem to be used
> very often it seems)

They are somewhat complex and transitioning away from them would be
nice ( and is on the TODO I believe ).  They also install whole new
rules where as I'm really interested in only the single packet.

>> Lots of people have.  Perhaps there should be an "outgoing.rules" in
>> snort that contains the list of popular attacks but it does fall into
>> one of the things that is part of tuning your own ruleset b/c thats
>> probably too many rules for a lot of folks to run.
> Well maybe it is, but it's hard to investigate every rule and find out
> if it needs to be "turned-around" somehow, and perhaps needs a higher
> priority.

I usually do "whatever was new on bugtraq" and whatever worms are out

> It would be nice if these rules would already exists and that people can
> disable them at will. (demarc is very good in doing this)

More information about the Snort-sigs mailing list