[Snort-sigs] Use of A+ in sigs

Roger Suppona rasuppo at ...430...
Tue Mar 12 09:47:08 EST 2002


The dim reaches of my memory recall reading somewhere that the use of A+
was more of a performance consideration to avoid analyzing handshake
packets.  

A bit of content to analyze is substantially more accurate.  In this
case changing the protocol to ip and adding 'content: "active blah";
nocase;` and removing `flags: A+;` would be much more accurate.

Of course you'll miss anything that has content other than "active
blah".  Additional rules with other shaft keywords will help improve
your chances of finding one or more of those bad boys on your network.

Roger

Roger Suppona
Sandia National Laboratories
rasuppo at ...430...

On Tue, 2002-03-12 at 09:12, Steve Halligan wrote:
> I have been getting some false positives as responses to some port scanning
> I have been doing.  For example:
> 
> ----------------------------------------------------------------------------
> --
> #(4 - 215243) [2002-03-12 09:32:30]
> [arachNIDS/http://www.whitehats.com/info/IDS254]  DDOS shaft client to
> handler
> IPv4: xx.yy.zz.aa -> aa.bb.cc.dd
>       hlen=5 TOS=0 dlen=40 ID=0 flags=2 offset=0 TTL=230 chksum=7257
> TCP:  port=1501 -> dport: 20432  flags=***A*R** seq=0
>       ack=1237986158 off=5 res=0 win=0 urp=0 chksum=27764
> Payload: none
> 
> This is triggering on this rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to
> handler"; flags: A+; reference:arachnids,254; classtype:attempted-dos;
> sid:230; rev:1;) 
> 
> Since the Reset bit is set in the packet, can't we eliminate this false
> positive by doing something like flags: A+!R;
> I am not sure about that syntax, but am I wrong that if the Reset bit is
> set, this rule shouldn't trigger?
> 
> This would apply generally to alot of rules that use flags: A+;
> 
> -Steve
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs







More information about the Snort-sigs mailing list