[Snort-sigs] Few posistives on several rules on POP3
jake_roberts at ...1807...
Wed Oct 22 15:01:07 EDT 2003
I posted with the same question but got little response. I am starting to get the feeling that the recommended solutions to these types of rule problems are:
1. Turn the rule off
2. Use some sort of ignore rule or BPF
3. Use thresholding so you don't see so many false positives (you won't see the true positives either in many cases)
This seems like the wrong attitude to me.
Shouldn't we be concerned with improving the sigs so they detect the correct packets and not produce so many false positives. Isn't snort only as powerful/useful as the ruleset you are using with it? I know that's not entirely true but what good is a really powerful matching engine that always matches everything because the matching rules are poorly written?
It seems like we need some sort of signature/rule user system for creating, improving, replacing, repairing, etc. Suppose I fix my rules, how do I get those submitted, tested, approved and whatever else so all the other snort users can get them too?
Right now people can post them here, but searching the list archives for a sig update isn't very effective. Is there some other method that I am unaware of?
Just my thoughts and frustrations,
From: snort-sigs-admin at lists.sourceforge.net [mailto:snort-sigs-admin at ...1979....sourceforge.net] On Behalf Of Cedric Foll
Sent: Wednesday, October 22, 2003 2:23 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Few posistives on several rules on POP3
I've get a lot of few positives on several rules related to pop3
1) The rule 2109 POP3 TOP overflow attempt
This kind of paquet match the rule.
***AP*** Seq: 0x2E7D045E Ack: 0x7C02CC6E Win: 0xF86E TcpLen: 20
54 4F 50 20 38 20 39 39 39 39 39 39 39 39 0D 0A TOP 8 99999999..
I think that this kind of paquet is normal, right ?
The "within" option should be greater than 10. This kind of paquet if
very frequent in my paquet.
2) Rules POP3 (AUTH|USER) overflow attempt
TCP TTL:119 TOS:0x0 ID:1280 IpLen:20 DgmLen:57
***AP*** Seq: 0xF0F0DFA7 Ack: 0xFB8945D3 Win: 0x7F1E TcpLen: 32
TCP Options (3) => NOP NOP TS: 866 166313267
41 55 54 48 20 AUTH
TCP TTL:119 TOS:0x0 ID:1286 IpLen:20 DgmLen:56
***AP*** Seq: 0xF0F0DFD7 Ack: 0xFB894607 Win: 0x7EEA TcpLen: 32
TCP Options (3) => NOP NOP TS: 874 166313345
53 54 41 54 STAT
I don't know what think about these kind of paquets ...
I get a lot of these one from a lot of différents IP adresses.
The problem if that the client doesn't send any |0a| byte.
We should add, at least a "dsize: >15", right ?
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs