[Snort-sigs] Lot of FP [8428 or 8426]

Thierry CHICH thierry.chich at ...2579...
Thu Apr 10 04:10:10 EDT 2008


Hi,

I don't know if these rules have been recently changed, but I can see that I 
have a lot of FP with this rule know. The "victim" is a cisco css, and I 
don't believe there such villains in this poor world :-).

WEB-MISC SSLv2 openssl get shared ciphers overflow attempt: 


/etc/snort/rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 443 
(msg:"WEB-MISC SSLv2 openssl get shared ciphers overflow attempt"; 
flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; 
flowbits:isnotset,sslv2.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; 
offset:2; byte_test:2, >, 256, 1, relative; metadata:policy balanced-ips 
drop, policy connectivity-ips drop, policy security-ips drop, service http; 
reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; 
reference:url,www.openssl.org/news/secadv_20060928.txt; 
classtype:attempted-admin; sid:8428; rev:6;)

/etc/snort/rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 443 
(msg:"WEB-MISC SSLv2 openssl get shared ciphers overflow attempt"; 
flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; 
flowbits:isnotset,sslv3.client_hello.request; 
flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; 
offset:2; byte_test:2, >, 256, 0, relative; metadata:policy balanced-ips 
drop, policy connectivity-ips drop, policy security-ips drop, service http; 
reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; 
reference:url,www.openssl.org/news/secadv_20060928.txt; 
classtype:attempted-admin; sid:8426; rev:6;)

Other thing. The two rules claim they are detecting a  SSLv2 overflow, but the 
second one is for SSLV3.

-- 
Thierry CHICH
Equipe Réseaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54




More information about the Snort-sigs mailing list