[Snort-sigs] mods to curb false positive on x11 rules?

Paul Chillman pchill at ...620...
Fri Jun 7 04:27:03 EDT 2002

On Thu, 2002-05-30 at 22:21, Michael Scheidell wrote:

 --- x11.rules.orig	Wed May 15 09:31:03 2002
> +++ x11.rules	Thu May 30 05:54:51 2002
> @@ -6,4 +6,4 @@
>  alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flags: A+; content: "MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:2;)
>  alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flags: A+; content: "|6c00 0b00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:1;)
> -alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:A+; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:2;)
> +alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:SA; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:3;)
> -- 

How about changing  the port on the "$EXTERNAL_NET" to exclude well known ports, seems to be where the majority of the false alerts comes from (for this rule and a lot of others).

Not sure how this could be done, there doesn't seem to be a "greater than" operator for the ports although I guess it could be done with a range (something like 1025:65535 ?).

Anybody know if there'd be any great performance impact doing this sort of thing?

Sign-up for your own FREE Personalized E-mail at Mail.com

More information about the Snort-sigs mailing list