[Snort-sigs] SID 13923 - Bad Rule

evilghost at ...3397... evilghost at ...3397...
Tue Apr 6 16:20:09 EDT 2010

Hi Pat, thanks for rehashing what I said with more words, as if I didn't 
really quite understand what I was pointing out.  I'm a little snippy 
because I have a right to be, "you" (SourceFire, the company) just 
released a VRT subscription release (of which I pay a substantial amount 
of money for) which successfully (with the confidence of "policy 
security-ips drop") classified all valid ingress SMTP traffic with the 
exclusion of the EHLO rule, as hostile.

Forgive me if I'm not smiles and sunshine.  Honestly, I think I did 
pretty good and not lambasting "you" (SourceFire, the company) in my 
initial email for this gross oversight.

It's pretty evident in this case this subscription release wasn't 
sufficiently QA'd.  To quote you, the problem "is immediately obvious by 
looking at the rule"

-evilghost (the jerk)

Patrick Mullen wrote:
>>> Hello, SID 13923 seems to generate quite a lot of false positives.
> You are correct that the rule alerts on rfc-compliant traffic.  This
> is immediately obvious by looking at the rule.  The rule was modified
> from its previous form which had pcre:"/^HELO\x20(\x00|.\x00)/smi" to
> its new form which currently has "content:"HELO "; content:!"|00|";
> within:2; as part of a lot of performance changes.  Obviously, this
> change does not fit the previous rule's intent due to the "!" modifier
> on the content match.  A mistake was made and then lost in the mix.
> Thank you for pointing it out; it will be fixed in the next release
> and an additional speed increase that was realized during review will
> be added to the rule.
> Next time simply letting us know there is an obvious problem with the
> rule without adding the "...to be a jerk..." part should be
> sufficient.  ;)
> Thanks,
> ~Patrick

More information about the Snort-sigs mailing list