[Snort-sigs] False negatives on "ATTACK-RESPONSES id check returned userid"

Cees celzinga at ...2420...
Fri May 4 03:45:09 EDT 2007


Looks good to me!

On 4/16/07, Jon Hart <jhart at ...288...> wrote:
>
> On Mon, Apr 16, 2007 at 12:40:27PM +0200, Cees wrote:
> > Some additional information:
> >
> > Version of snort used: 2.6.1.2
> > Snort.conf configuration:
> > var HOME_NET [192.168.247.133/32]
> > var EXTERNAL_NET !$HOME_NET
> > [..]
> > Preprocessors: frag3, stream4, http_inspect
> >
> > Command-line options when starting snort:
> > snort -u snort -r uid.pcap -l log/ -c snort.conf
> >
> > Operating system used: Gentoo linux
> >
> > Attached a sample PCAP file. A client (192.168.247.129) retrieves a
> website
> > from the server (192.168.247.133) with the string "uid=33(www-data)
> > gid=33(www-data) groups=33(www-data)".
>
> I seem to recall discussion about this rule and its potential for
> false-negatives sometime in the past.  The further you crank out
> 'within', the greater the chance of a false-positive.  There is
> definitely room for improvement, IMO, as uid and gid combinations that
> are greather than 9 characters in length are quite common.
>
> Why not pcre for this rule?  'pcre:/uid=\d+\S+\s+gid=\d+\S+'?
>
> -jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070504/18c5312a/attachment.html>


More information about the Snort-sigs mailing list