[Snort-sigs] Rule 498 and 1882

Giovanni Giovanni at ...1834...
Wed Sep 3 06:54:33 EDT 2003


Hi Nigel / Snort Staff

	I have a sugestion about that:

	In those rules, (attack responses), about "id command returned", we
can avoid many false positives changing:

        old: alert ip any any -> any any (msg:"ATTACK-RESPONSES id check
returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
rev:4;)
        new: alert ip any !23 -> any !23 (msg:"ATTACK-RESPONSES id check
returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
rev:4;)

        old: alert ip $HOME_NET any -> $EXTERNAL_NET any
(msg:"ATTACK-RESPONSES id check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; content:" gid="; distance:0;
within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown;
sid:1882; rev:9;)
        new: alert ip any !23 -> any !23 (msg:"ATTACK-RESPONSES id check
returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string;
content:" gid="; distance:0; within:15;
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
rev:9;)

	Having a variable TELNET_PORTS in snort.conf will also helps avoid
this things.

	I had to do this modification in my snort cause i use 'in-line
blocking' tecnology, and a DBA called me 02:00 in the morning cause his
telnet connection with the client dropped without reasons, lol.

	Maybe this first rule can be dropped since appeas that both do the
same detection.
	
	With best regards,

---
Giovanni Moser Frainer
System Administrator




More information about the Snort-sigs mailing list