[Snort-sigs] mods to curb false positive on x11 rules?

Russell Fulton r.fulton at ...575...
Thu May 30 14:47:01 EDT 2002

On Thu, 2002-05-30 at 22:21, Michael Scheidell wrote:

 --- x11.rules.orig	Wed May 15 09:31:03 2002
> +++ x11.rules	Thu May 30 05:54:51 2002
> @@ -6,4 +6,4 @@
>  alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flags: A+; content: "MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:2;)
>  alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flags: A+; content: "|6c00 0b00 0000 0000 0000 0000|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:1;)
> -alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:A+; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:2;)
> +alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected";  flags:SA; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:3;)
> -- 

Ah!  Firstly I had not realised Arachnids was back on the air,  Great!
Secondly I too have been having regular problems with false +ves on X11
rules of the nature of those described by Michael.  I too had wondered
about explicitly checking for SYN+ACKs, but another approach that
occurred to me was to use the new direction attribute (if I understand
it correctly) to eliminate false +ve on *source* ports of 600x.  

I have not had enought time to investigate this matter properly yet.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the Snort-sigs mailing list