[Snort-sigs] false positives for attack-response rules (and suggested fix)

Milani Paolo Paolo.Milani at ...1843...
Fri Mar 19 04:57:02 EST 2004


concerning sids 1292:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown; sid:1292; rev:7;)

and 1882:

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; distance:0; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:9;)

In some environments it can be normal to have telnet traffic in the network (not in very safe environments, I know). In which case these rules will fp a lot.

My suggestion is to change src port to !23 (or !$TELNET_PORTS).

This will not make environments where telnet traffic is not allowed less safe, I think, since telnet traffic is already detected with specific signatures.

my 2 cents,
Paolo Milani

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you

More information about the Snort-sigs mailing list