[Snort-sigs] Why not the otherway around??

niceshorts at ...144... niceshorts at ...144...
Fri Oct 19 08:24:15 EDT 2001


Joe McAlerney hat geschrieben:

>Edwin Eefting wrote:
>
>> > To lower this type of false positive rate, I have thought about
>> > creating something like "passcontent: admin_cmd.exe" that would work
>> > after a rule is going to be decalred successful and work at a certain
>> > depth/offset ( preferably with lots of knowledge about the previous
>> > content rule so that it doesn't create a gaping hole in your ruleset
>> > that easily ).
>> can't you use the dynamic rules for this? (they don't seem to be used
>> very often it seems)
>> 
>
>A coworker (Roel Jonkman) and I had a discussion a while ago about doing
>something like this.  In many cases, what is interesting is the response
>that the target gives rather than what was thrown at it.  If often boils
>down to policy.  Do you care if someone threw an IIS exploit at your
>Apache server?  Would it be better to alert if your server sends
>something back other than a "404 not found"?  What about something like:
>
>activate tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Foo Exploit
>attempt"; uricontent:"foo_you.pl"; activates:1;
>classtype:attempted-recon;)
>dynamic tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"Successful Foo
>Exploit"; content:!"Web 404 Not found"; activated_by:1; count:"10";)


    I don't see why not. There already exists a 403 response
    rule. A benefit for adding a 404 rule is to serve as a sanity
    check in case your developers forget to check links.

    As long as the signal to noise ratio remains manageable.
    Again a local policy issue.

    -anthony

-- 
HTTP request sent, awaiting response... 404 Object Not Found
ERROR 404: Object Not Found.




More information about the Snort-sigs mailing list