[Snort-sigs] RE: False positives for sid:230

Brian King bking at ...2422...
Wed May 19 08:10:44 EDT 2004


Eric,
I have been getting tons of false positives for that signature as well.
What about using the TCP sequence number to identify it, since it appears to
be set at: 0x28374839 and/or the string "login" at the start of the shaft
session?  I would probably prefer the latter.

Something like this...(is the sequence number supposed to be hex for this
rule?)

alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client to 
handler"; seq: 674711609; flow:established; reference:arachnids,254; 
classtype:attempted-dos; sid:230; rev:2;)

Or 

alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login
to 
handler"; content: "login:"; flow:established; reference:arachnids,254; 
classtype:attempted-dos; sid:230; rev:2;)

I chose to use the response from the handler, since that is relatively
known.  I don't have a packet dump to determine the offset, but I am sure
that could get rid of most of the false positives.  

Brian



--__--__--

Message: 2
Date: Tue, 18 May 2004 10:42:58 -0700
To: snort-sigs at lists.sourceforge.net
From: Eric Watkins <watkinse at ...2496...>
Subject: [Snort-sigs] False positives for sid:230

Hello,

My system seems to generate quite a few false positives based on the DDOS 
sig 230. After a bit, valid https traffic ends up on a high port and 
triggers this sid.

alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to 
handler"; flow:established; reference:arachnids,254; 
classtype:attempted-dos; sid:230; rev:2;)

Looking here it appears there are some strings that could be triggered on: 
http://security.royans.net/info/posts/bugtraq_ddos3.shtml

Is there some way to make this sid more specific to the actual traffic data 
rather than just a port connection?

Thanks,

Eric






More information about the Snort-sigs mailing list