[Snort-sigs] mods to curb false positive on x11 rules?
scheidell at ...249...
Thu May 30 03:23:01 EDT 2002
Early morning, first light, ssh in from home to office (NOT x11, NOT
tunneled x11) get 465 snort alerts against the x11.rules
(snort 1.87Beta5, including x11.rules)
egrep -c ^TCP
snort sig says flags A+ (Ack plus anything?)
Many of the packets logged had AP (Ack and Psh)
TCP: port=6000 -> dport: 22 flags=***AP*** seq=401500876
egrep -c '^TCP.*\*AP\*'
Many only had A
TCP: port=6000 -> dport: 22 flags=***A**** seq=401492556
egrep -c '^TCP.*\*A\*'
So, question one:
why did snort record those 47 rules?
I thought A+ ment the Ack flag any at least one more flag?
is the suggestion on whitehats a possible solution?
They suggest to look for the S and the A flags together.
do you want the SA (syn/ack) flags to trigger alert?
if so, here are the diffs, including bumping the rule rev:
(also attached for the 'line wrap' impared)
--- x11.rules.orig Wed May 15 09:31:03 2002
+++ x11.rules Thu May 30 05:54:51 2002
@@ -6,4 +6,4 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flags: A+; content: "MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flags: A+; content: "|6c00 0b00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:1;)
-alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flags:A+; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:2;)
+alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flags:SA; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:3;)
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-sigs