[Snort-sigs] sid 1748 needs retuning

Brian bmc at ...95...
Mon Nov 17 14:09:08 EST 2003


On Fri, Nov 14, 2003 at 02:29:58PM +0100, David Wilburn wrote:
> SID 1748 (FTP command overflow attempt) needs to be retuned, I suspect. 
>  It is now set to alarm on any traffic sent to port 21 with more than 
> 100 bytes.  The trouble is, when files are referenced with a full path, 
> this is very often exceeded with perfectly normal traffic.
> 
> What is the realistic minimum amount of data required for a buffer 
> overflow?  I suspect it is a bit above 100 bytes.  Can we get the dsize 
> cranked up to a more acceptable number?
> 
> This is a pretty generic rule, designed as somewhat of a catch-all.  I 
> think it would be better to have it lean more towards not catching some 
> *really* tight attacks, with the hope that known attacks will have a 
> specific signature for them, than the current leaning towards false 
> alarming.

If the rule doesn't work in your enviornment, then turn it off.  The
rule will get re-visited soon anyways, but its easy enough to tweak
the rules to meet your own needs.

Since localized tweaks to rules are a common request, I'll add 
functionality to snortconfig that allows you to tweak rules in any 
arbitrary manor you see fit.

BTW, this isn't really an official announcement, but I'm working on a
snort configuration utility that will allow the basic configuration
tweaks that most sites need.

Check it out.

snortconfig - a simple yet complicated rules maintance system

    http://www.shmoo.com/~bmc/software/snortconfig/

snortconfig is a rules modification system for snort that is generated
from a configuration file. This allows a user to keep their ruleset
updated without too much of a headache. Configuration is done using a
basic INI style configuration.

-brian




More information about the Snort-sigs mailing list