[Snort-sigs] Use of A+ in sigs

Steve Halligan agent33 at ...22...
Tue Mar 12 19:29:06 EST 2002


I have been getting some false positives as responses to some port scanning
I have been doing.  For example:

----------------------------------------------------------------------------
--
#(4 - 215243) [2002-03-12 09:32:30]
[arachNIDS/http://www.whitehats.com/info/IDS254]  DDOS shaft client to
handler
IPv4: xx.yy.zz.aa -> aa.bb.cc.dd
      hlen=5 TOS=0 dlen=40 ID=0 flags=2 offset=0 TTL=230 chksum=7257
TCP:  port=1501 -> dport: 20432  flags=***A*R** seq=0
      ack=1237986158 off=5 res=0 win=0 urp=0 chksum=27764
Payload: none

This is triggering on this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to
handler"; flags: A+; reference:arachnids,254; classtype:attempted-dos;
sid:230; rev:1;) 

Since the Reset bit is set in the packet, can't we eliminate this false
positive by doing something like flags: A+!R;
I am not sure about that syntax, but am I wrong that if the Reset bit is
set, this rule shouldn't trigger?

This would apply generally to alot of rules that use flags: A+;

-Steve




More information about the Snort-sigs mailing list