[Snort-sigs] Reducing FPs by linking attacks to service versions
root at ...2038...
Fri Dec 3 08:30:12 EST 2004
I have just been playing with flowbits, and am wondering if there would be adverse effects to linking rules to specific service version where applicable.
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any \
(msg:"IS IIS4"; sid:2000000; \
rev:0; classtype:not-suspicious; \
content: "Server\: Microsoft-IIS\/4.0"; \
flowbits: set,isiis4; \
Alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"New IIS4 fpcount attempt"; \
sid:2000002; rev:0; classtype:web-application-attack; \
content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; \
How much of a resource hit would there be on a system to track connections in this way?
More information about the Snort-sigs