[Snort-sigs] MSSQL False Neg

Bill Scherr IV bschnzl at ...3374...
Tue Dec 1 21:37:51 EST 2009


Matt...

>From a # snort -c <file> -T 2>&1 | less
gen-id=1 _ sig-id=3543 _ type=Threshold _ tracking=src _ count=5 _ seconds=2

So the thresholding is set.  That seems a bit tight.  This guy passes one packet every 2.25 seconds. 
IMHO, that passes for a brute force attempt. Granted this service should not be subjected to one of 
these attacks, but 2 to 3 attempts per second is kind of heavy.

I shifted the threshold to 1800 seconds on my sensors.

Thanks for your very well explained effort.  

B.  

Circa 19:14, 1 Dec 2009, a note, claiming source Matt Olney <molney at ...435...>, was sent to 
me:

Date sent:      	Tue, 1 Dec 2009 19:14:57 -0500
Subject:        	Re: [Snort-sigs] MSSQL False Neg
From:           	Matt Olney <molney at ...435...>
To:             	Nigel Houghton <nhoughton at ...435...>
Copies to:      	bschnzl at ...3374..., snort-sigs at lists.sourceforge.net

> The rule seems to be correct, I'm thinking there is a thresholding
> issue somewhere.  Looking at it, it looks like it should alert if you
> see 5 packets in a 2 second period that match this rule.  If you want
> to check the non-thresholding portion of the rule, try the following
> local rule:


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at ...3384...
bscherr at ...3385...
703-478-7608





More information about the Snort-sigs mailing list