[Snort-sigs] mods to curb false positive on x11 rules?

Michael Scheidell scheidell at ...249...
Thu May 30 03:23:01 EDT 2002

Early morning, first light, ssh in from home to office (NOT x11, NOT
tunneled x11) get 465 snort alerts against the x11.rules
(snort 1.87Beta5, including x11.rules)
Freebsd 4.5

 egrep -c ^TCP
snort sig says flags A+ (Ack plus anything?)
Many of the packets logged had AP (Ack and Psh)
TCP:  port=6000 -> dport: 22  flags=***AP*** seq=401500876
egrep -c '^TCP.*\*AP\*'
Many only had A
TCP:  port=6000 -> dport: 22  flags=***A**** seq=401492556
 egrep -c  '^TCP.*\*A\*'

So, question one:
why did snort record those 47 rules?
I thought A+ ment the Ack flag any at least one more flag?

Question two:
is the suggestion on whitehats a possible solution?
They suggest to look for the S and the A flags together.

do you want the SA (syn/ack) flags to trigger alert?

if so, here are the diffs, including bumping the rule rev:
(also attached for the 'line wrap' impared)

--- x11.rules.orig	Wed May 15 09:31:03 2002
+++ x11.rules	Thu May 30 05:54:51 2002
@@ -6,4 +6,4 @@
 alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flags: A+; content: "MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flags: A+; content: "|6c00 0b00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:1;)
-alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:A+; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:2;)
+alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:SA; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:3;)
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: x11.diffs.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020530/44059b6d/attachment.txt>

More information about the Snort-sigs mailing list