[Snort-sigs] False positives with SID 1337 and SID 1378

Jon warchild at ...288...
Wed Feb 5 11:50:27 EST 2003


I've found a number of false positives with the SIDs mentioned above.

Actually, they aren't really false positives because I don't see why the
rules are getting triggered. 

1377 looks for ~ and [ with at least 1 byte between the two (thats what the
distance modifier claims to do).

1378 looks for ~ and { with at least 1 byte between the two.

Here are two strings that triggered these rules:

1377
RETR /home/user/homework/hw4/problem1/1-5/BankAccount.java~..

1378
RETR /home/user/homework/hw4/problem1/1-6&1-7/SavingAccount.java~..

Both of these strings contain ~, but neither contain the [ or the {.

So, why are they triggering?  There is almost certainly a [ and a { in this
ftp transfer, but probably long after the RETR command is executed and
certainly after this packet has passed.  Does 'distance' search forever?

I have stream4_reassemble in its default state and follow SNORT_1_9 in CVS.

The other question is...  All of the attacks that I saw back when this
particular bug was being actively exploited did something like 'CWD ~{'.
But, it looks like the only requirement is that the glob end in a { or [,
so the glob could be arbitrarily large.  Was that the thinking behind:

   content:"~"; content:"{"; within:1;

vs.

   conntent:"~{";   ?

With that in mind, the rule in its current form would *not* catch 'CWD
~{....', right?

Any help or insight would be appreciated.

Thanks,

-jon 




More information about the Snort-sigs mailing list