[Snort-sigs] mods to curb false positive on x11 rules?

Imran William Smith iwsmith at ...500...
Thu May 30 03:36:24 EDT 2002


Q1) Well, the snort manual says flags regexp + means:

"+ ALL flag, match on all specified flags plus any others"

I take that to mean "and optionally, any of the others", but
certainly, the language is a bit confusing.

The relevant line from sp_tcp_flag_check.c in the snort source
code says:

 case '+': /* plus or all, fire if all flags specified are
                         present, other are don't care */


Q2) Don't know.


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message -----
From: "Michael Scheidell" <scheidell at ...249...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Thursday, May 30, 2002 6:21 PM
Subject: [Snort-sigs] mods to curb false positive on x11 rules?


| Early morning, first light, ssh in from home to office (NOT x11, NOT
| tunneled x11) get 465 snort alerts against the x11.rules
| (snort 1.87Beta5, including x11.rules)
| Freebsd 4.5
|
|  egrep -c ^TCP
| 465
| snort sig says flags A+ (Ack plus anything?)
| Many of the packets logged had AP (Ack and Psh)
| TCP:  port=6000 -> dport: 22  flags=***AP*** seq=401500876
| egrep -c '^TCP.*\*AP\*'
| 418
| Many only had A
| TCP:  port=6000 -> dport: 22  flags=***A**** seq=401492556
|  egrep -c  '^TCP.*\*A\*'
| 47
|
| So, question one:
| why did snort record those 47 rules?
| I thought A+ ment the Ack flag any at least one more flag?
|
| Question two:
| is the suggestion on whitehats a possible solution?
| http://www.whitehats.com/info/IDS126
| They suggest to look for the S and the A flags together.
|
| do you want the SA (syn/ack) flags to trigger alert?
|
| if so, here are the diffs, including bumping the rule rev:
| (also attached for the 'line wrap' impared)
|
| --- x11.rules.orig Wed May 15 09:31:03 2002
| +++ x11.rules Thu May 30 05:54:51 2002
| @@ -6,4 +6,4 @@
|
|  alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flags: A+; content: "MIT-MAGIC-COOKIE-1";
reference:arachnids,396; classtype:attempted-user; sid:1225; rev:2;)
|  alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flags: A+; content: "|6c00 0b00 0000 0000 0000 0000|";
reference:arachnids,395; classtype:unknown; sid:1226; rev:1;)
| -alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:A+;
reference:arachnids,126; classtype:misc-activity; sid:1227; rev:2;)
| +alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:SA;
reference:arachnids,126; classtype:misc-activity; sid:1227; rev:3;)
| --
| Michael Scheidell
| SECNAP Network Security, LLC
| (561) 368-9561 scheidell at ...249...
| http://www.secnap.net/
|
|





More information about the Snort-sigs mailing list