[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Brian bmc at ...95...
Fri May 14 11:44:06 EDT 2004


On Fri, May 14, 2004 at 09:43:27AM +1200, Russell Fulton wrote:
> On Fri, 2004-05-14 at 03:55, Brian wrote:
> 
> > Banners become a nightmare to maintain.  I'd rather not do that if we
> > can avoid it.  
> > 
> > If your mail server allows different folder depths, modify those
> > specific rules.
> 
> This then becomes a "nightmare to maintain" for us :)

Yep, its called passing the buck.  Think of it as payback for the free
stuff.  :P  In reality, it is easier for you to maintain local
modifications to rules via something like oinkmaster or snortconfig
than it would be for me to maintain variables inside of rules.  The
variable changing makes a single rule have multiple places to maintain
the rule.  For most people, thats a pain in the ass.

> I was under the impression that most of these rules were generic detects
> not targeted at specific specific implementations.  The comments in the
> rules write up suggest this.

Yes, the rules are generic detects.  However, there are specific
implementations that have the vulnerability.  We look for the
vulnerability on all versions, not just the one or two we know are
vulnerable.  

I don't have the time, energy, or the desire to track the capabilities
of each and every server for every protocol we do detection on.

> Hmmm... At CanSecWest Marty spoke about using passive monitoring of
> network traffic (I forget what Sourcefire call the product) to get just
> this sort of information which is then used to post process alerts.  So
> you only get IIS alerts for machines that are actually running IIS and
> not Apache.

Its called RNA.  It could help you out here, but so could tuning your
rules.  :)  

BTW, RNA does more than alert filtering, but this is not an RNA
mailing list... this is a snort mailing list.  Talk to a Sourcefire
sales guy for that info.

Brian




More information about the Snort-sigs mailing list