[Snort-sigs] rpc rstatd false alarms and adding rpc keyword?

Michael Scheidell scheidell at ...249...
Sat May 11 05:50:02 EDT 2002


I received 4 rpc statd query false alarms.
rpc.rules rule set, snort id 1278, rev 1 (from snort 1.8.6 rules)

I noticed on whitehats that they included 'rpc: 100001,*,*; ' in their rule.
but eliminated the content match.

alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg:
"IDS9/rpc_rpc-rstatd-query";\
 rpc: 100001,*,*; classtype: info-attempt; reference: arachnids,9;)

is the pattern match considered betterfaster,cheaper then the rpc rule? is
there too much overhead in that key?

original rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; \
 flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; \
reference:arachnids,9;classtype:attempted-recon; sid:1278; rev:1;)

or, current rule:
http://www.snort.org/snort-db/sid.html?id=1278
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; \
flow:to_server; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; \
reference:arachnids,9;classtype:attempted-recon; sid:1278; rev:2;)


suggested rule to eliminate false alarms?

alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; \
flow:to_server; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; \
'rpc: 100001,*,*; reference:arachnids,9;classtype:attempted-recon; sid:1278;
rev:3;)
--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net





More information about the Snort-sigs mailing list