[Snort-sigs] Problem with pop3.rules and ftp.rules
Kenneth G. Arnold
bkarnold at ...1280...
Tue Feb 11 07:29:03 EST 2003
I updated my rules yesterday and I am getting similar results from pop3
and ftp rules. I have had to disable just about all of the rules because
they were firing on what certainly appeared to be legitimate traffic.
On Tue, 11 Feb 2003, Andrew J. Hobbs wrote:
> After updating the ruleset, ftp.rules (v 22.214.171.124 2003/02/07 22:04:50)
> reports a positive hit every time a legitimate FTP session is
> established. Likewise for pop3.rules (v 126.96.36.199 2002/11/17 04:40:09)
> reports a false positive for connections to our pop server as well.
> The specific culprit seems to be an inverted rule. Preface: I've used
> snort for a long time in a configure-hands off kind of way, so rule
> design is NOT my bag. This is strictly shoot from hip sort of
> SID: 1866
> alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow
> attempt"; flow:to_server,established; content:"USER "; nocase;
> content:!"|0a|"; within:50; reference:bugtraq,789;
> reference:cve,CVE-1999-0494; reference:nessus,10311;
> classtype:attempted-admin; sid:1866; rev:4;)
> Note the content part. content:!"|0a|"; 0a should be legit if it's
> WITHIN 50 bytes, but instead, there is an inversion (if I read these
> right) to not within 50 bytes. If that's the case, legit passwords are
> flagged as a priority one exploit attempt. This is in fact the
> behavior we're seeing as every attempt to check mail sends up a red
> alert flag. The problems with FTP.RULES are very similar.
> Any light shed would be appreciated. Am I right in this? Or totally
> offbase.... If offbase then why the heck are we redflagging legit users?
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs