[Snort-sigs] False positive sid:498

Paul Schmehl pauls at ...1311...
Thu Mar 24 13:41:30 EST 2005


--On Thursday, March 24, 2005 03:16:49 PM -0600 Frank Knobbe 
<frank at ...1978...> wrote:
>
> good call, I didn't consider general email. However, I do not believe
> changing rules to use port !25 is a solution.
>
> Instead, why don't you tune the IDS by suppressing on certain IPs, such
> as the Bugtraq mail servers, Security Focus portal etc. That way at
> least you still get alerts when someone spawns a remote shell over port
> 25.
>
The problem with this solution is that it requires a lot of maintenance 
*and* documentation so that, when I get run over by a bus (or fired for 
incompetence) my replacement will know *why* the suppression rules exist.

I think it makes more sense, therefore, *if* it's possible, to refine the 
rules to generate less fps *without* introducing fns.

To be sure, I have a *bunch* of rules commented out - some because I've 
altered them to better fit our environment (and put them in local rules) 
and some because we don't have any of "those" (e.g. Lotus Notes - we don't 
have it, so why should I see attempted exploits for it?)

Suppression rules are good for *some* things, but it becomes a tangled mess 
if you try to solve *every* fp that way.
>
[snipped]
>
> Messing with ports lowers the accuracy of a rule. Once you start with !
> 25, you might end up with !20:1024 (to cover POP3, IMAP, FTP, Web, etc
> etc). So you rule becomes less and less effective.
>
In general, yes, but what did you think of Mike's suggestion to use 
flowbits to check for a server response?

> Instead, increase accuracy of FP detection by adding all those known
> good FP sources to suppression rules. Once you do that, you get less FP,
> but are still able to catch the remote shells that use source port 20
> and stuff like that.
>
Primarily because it doesn't scale well when you have to deal with class A 
size networks and thousands of hosts.

> Let me know if this is the sort of reasoning or discussion you except
> and I'll continue to be verbal like that. ;)
>
Absolutely that's what I want. :-)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list