[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Brian bmc at ...95...
Thu May 13 08:56:04 EDT 2004


On Thu, May 13, 2004 at 07:48:01AM -0600, Alec H. Peterson wrote:
> On Thursday, May 13, 2004 9:23 AM -0400 Brian <bmc at ...95...> wrote:
> >On Thu, May 13, 2004 at 05:25:00PM +1200, Russell Fulton wrote:
> > > I was wondering if it would be worth parameterising these rules with a
> > > $FTP_PATH_LEN and an IMAP_FOLDER_LEN which gets set along with all the
> > > other configurable stuff in snort.conf?
> >
> > Nope, because it is specific to specific implementations of IMAP.
> >
> > I'd rather not use variables inside the rule body, as you will not
> > be able to track the history of a rule appropriately if the
> > detection capabilities are tied to something outside of the rule.
>
> Perhaps we could make use of flowbits and take a peek at the startup
> banner to make sure it is in fact the IMAP server in question we are
> concerned about?

Banners become a nightmare to maintain.  I'd rather not do that if we
can avoid it.  

If your mail server allows different folder depths, modify those
specific rules.

Brian




More information about the Snort-sigs mailing list