[Snort-sigs] Few posistives on several rules on POP3

Jacob Roberts jake_roberts at ...1807...
Wed Oct 22 15:01:07 EDT 2003

I posted with the same question but got little response.  I am starting to get the feeling that the recommended solutions to these types of rule problems are:
	1.  Turn the rule off
	2.  Use some sort of ignore rule or BPF
	3.  Use thresholding so you don't see so many false positives (you won't see the true positives either in many cases)

This seems like the wrong attitude to me.

Shouldn't we be concerned with improving the sigs so they detect the correct packets and not produce so many false positives.  Isn't snort only as powerful/useful as the ruleset you are using with it? I know that's not entirely true but what good is a really powerful matching engine that always matches everything because the matching rules are poorly written?

It seems like we need some sort of signature/rule user system for creating, improving, replacing, repairing, etc.  Suppose I fix my rules, how do I get those submitted, tested, approved and whatever else so all the other snort users can get them too?

Right now people can post them here, but searching the list archives for a sig update isn't very effective.  Is there some other method that I am unaware of?

Just my thoughts and frustrations,

Jake Roberts

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net [mailto:snort-sigs-admin at ...1979....sourceforge.net] On Behalf Of Cedric Foll
Sent: Wednesday, October 22, 2003 2:23 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Few posistives on several rules on POP3


I've get a lot of few positives on several rules related to pop3

1)  The rule 2109 POP3 TOP overflow attempt

This kind of paquet match the rule.
***AP*** Seq: 0x2E7D045E  Ack: 0x7C02CC6E  Win: 0xF86E  TcpLen: 20
54 4F 50 20 38 20 39 39 39 39 39 39 39 39 0D 0A  TOP 8 99999999..

I think that this kind of paquet is normal, right ?
The "within" option should be greater than 10. This kind of paquet if 
very frequent in my paquet.

2) Rules POP3 (AUTH|USER) overflow attempt

TCP TTL:119 TOS:0x0 ID:1280 IpLen:20 DgmLen:57
***AP*** Seq: 0xF0F0DFA7  Ack: 0xFB8945D3  Win: 0x7F1E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 866 166313267
41 55 54 48 20                                   AUTH

TCP TTL:119 TOS:0x0 ID:1286 IpLen:20 DgmLen:56
***AP*** Seq: 0xF0F0DFD7  Ack: 0xFB894607  Win: 0x7EEA  TcpLen: 32
TCP Options (3) => NOP NOP TS: 874 166313345
53 54 41 54                                      STAT

I don't know what think about these kind of paquets ...
I get a lot of these one from a lot of différents IP adresses.

The problem if that the client doesn't send any |0a| byte.

We should add, at least a "dsize: >15", right ?


This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list