[Snort-sigs] Why not the otherway around??

Joe McAlerney joey at ...80...
Thu Oct 18 18:35:14 EDT 2001


Edwin Eefting wrote:

> > To lower this type of false positive rate, I have thought about
> > creating something like "passcontent: admin_cmd.exe" that would work
> > after a rule is going to be decalred successful and work at a certain
> > depth/offset ( preferably with lots of knowledge about the previous
> > content rule so that it doesn't create a gaping hole in your ruleset
> > that easily ).
> can't you use the dynamic rules for this? (they don't seem to be used
> very often it seems)
> 

A coworker (Roel Jonkman) and I had a discussion a while ago about doing
something like this.  In many cases, what is interesting is the response
that the target gives rather than what was thrown at it.  If often boils
down to policy.  Do you care if someone threw an IIS exploit at your
Apache server?  Would it be better to alert if your server sends
something back other than a "404 not found"?  What about something like:

activate tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Foo Exploit
attempt"; uricontent:"foo_you.pl"; activates:1;
classtype:attempted-recon;)
dynamic tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"Successful Foo
Exploit"; content:!"Web 404 Not found"; activated_by:1; count:"10";)

Or something along those lines.

-Joe M.

-- 
|   Joe McAlerney     joey at ...79...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+




More information about the Snort-sigs mailing list