[Snort-sigs] Reducing FPs by linking attacks to service versions

root root at ...2038...
Fri Dec 3 08:30:12 EST 2004


Afternoon.

I have just been playing with flowbits, and am wondering if there would be adverse effects to linking rules to specific service version where applicable.

Simple example 

 alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any \
 (msg:"IS IIS4"; sid:2000000; \
 rev:0; classtype:not-suspicious; \
 content: "Server\: Microsoft-IIS\/4.0"; \
 flowbits: set,isiis4; \
 flowbits: noalert;)

 Alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
 (msg:"New IIS4 fpcount attempt"; \
 sid:2000002; rev:0; classtype:web-application-attack; \
 flow:to_server,established; \ 
 uricontent:"/fpcount.exe"; \
 content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; \
 flowbits: isset,isiis4;)


How much of a resource hit would there be on a system to track connections in this way?

-N





More information about the Snort-sigs mailing list