[Snort-sigs] False positive - sid 1365

Mike Pomraning mjp-snortsigs at ...1399...
Mon Mar 21 21:12:34 EST 2005


On Mon, 21 Mar 2005, Ofer Shezaf wrote:

> The problem is that rm is one of a very long list of commands, and that
> pcre is very expensive performance wise.
>
> Even prefixing with a "uricontent" operator does not help much as two
> letter words tend to crop up a lot (and it probably should be "content"
> and not "uricontent" as rm could very well injected in a parameter
> value).
>
> So?
> Write code better; Configure the server better; use application layer
> security tools; but don't try to catch application layer issues such as
> command or SQL injection with Snort.

I generally agree:  performance, accuracy and specificity need to be weighed
for every sig.  It's unfortunate that 'uricontent' is blind to POST'd
parameters, and similarly that 'content' understands no encoding, wherever it
occurs.  IDS isn't a silver bullet, so don't let it be your only bullet.

However, you do still shoot the bullet. :)  I'd temper your last remark --
after all, http_inspect *is* application layer smarts, however limited, inside
Snort.  Comprehensive and perfect?  No.  Useful?  Certainly.

Regards,
Mike
--
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-sigs mailing list