[Snort-sigs] more gripes about todays rule changes ;-)

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Thu Jun 6 08:11:03 EDT 2002

My suggestion for SQL_PORTS would fix this...  But snort currently doesn't
have the functionality to work with multiple ports non-sequential...

The Oracle grant rule (running on development) has created 67k records in 2
weeks... Watching all traffic going in/out of our network.  So far, I'm
unable to find a single positive.  I use Oracle very heavily, so I'll go in
and check out the rules.  I'm sure there are other args that could be added
that would decrease falses to almost nothing.

-----Original Message-----
From: Russell Fulton [mailto:r.fulton at ...575...] 
Sent: Thursday, June 06, 2002 12:21 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] more gripes about todays rule changes ;-)

The following new rules with sids:


Cause large numbers of false +ves.  Some are attempts to detect buffer
overflows simply based on the amount of data in the packet (dsize) these are
generating nearly 1000 faslse postives an hour.  The others are Oracle rules
that trigger on simple words (eg describe and grant) on all ports including
web traffic.  Every web page that has these words triggers these rules.

Cheers, Russell.
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list