[Snort-sigs] Problem with pop3.rules and ftp.rules
Andrew J. Hobbs
andrew at ...1279...
Tue Feb 11 06:41:06 EST 2003
After updating the ruleset, ftp.rules (v 220.127.116.11 2003/02/07 22:04:50)
reports a positive hit every time a legitimate FTP session is
established. Likewise for pop3.rules (v 18.104.22.168 2002/11/17 04:40:09)
reports a false positive for connections to our pop server as well.
The specific culprit seems to be an inverted rule. Preface: I've used
snort for a long time in a configure-hands off kind of way, so rule
design is NOT my bag. This is strictly shoot from hip sort of
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow
attempt"; flow:to_server,established; content:"USER "; nocase;
content:!"|0a|"; within:50; reference:bugtraq,789;
classtype:attempted-admin; sid:1866; rev:4;)
Note the content part. content:!"|0a|"; 0a should be legit if it's
WITHIN 50 bytes, but instead, there is an inversion (if I read these
right) to not within 50 bytes. If that's the case, legit passwords are
flagged as a priority one exploit attempt. This is in fact the
behavior we're seeing as every attempt to check mail sends up a red
alert flag. The problems with FTP.RULES are very similar.
Any light shed would be appreciated. Am I right in this? Or totally
offbase.... If offbase then why the heck are we redflagging legit users?
More information about the Snort-sigs