[Snort-sigs] SID 13923 - Bad Rule

Matt Olney molney at ...435...
Tue Apr 6 16:34:39 EDT 2010


I thought I was "The Jerk". :(

On Tue, Apr 6, 2010 at 4:20 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> Hi Pat, thanks for rehashing what I said with more words, as if I didn't
> really quite understand what I was pointing out.  I'm a little snippy
> because I have a right to be, "you" (SourceFire, the company) just
> released a VRT subscription release (of which I pay a substantial amount
> of money for) which successfully (with the confidence of "policy
> security-ips drop") classified all valid ingress SMTP traffic with the
> exclusion of the EHLO rule, as hostile.
>
> Forgive me if I'm not smiles and sunshine.  Honestly, I think I did
> pretty good and not lambasting "you" (SourceFire, the company) in my
> initial email for this gross oversight.
>
> It's pretty evident in this case this subscription release wasn't
> sufficiently QA'd.  To quote you, the problem "is immediately obvious by
> looking at the rule"
>
> -evilghost (the jerk)
>
> Patrick Mullen wrote:
> >>> Hello, SID 13923 seems to generate quite a lot of false positives.
> >>>
> >
> > You are correct that the rule alerts on rfc-compliant traffic.  This
> > is immediately obvious by looking at the rule.  The rule was modified
> > from its previous form which had pcre:"/^HELO\x20(\x00|.\x00)/smi" to
> > its new form which currently has "content:"HELO "; content:!"|00|";
> > within:2; as part of a lot of performance changes.  Obviously, this
> > change does not fit the previous rule's intent due to the "!" modifier
> > on the content match.  A mistake was made and then lost in the mix.
> > Thank you for pointing it out; it will be fixed in the next release
> > and an additional speed increase that was realized during review will
> > be added to the rule.
> >
> > Next time simply letting us know there is an obvious problem with the
> > rule without adding the "...to be a jerk..." part should be
> > sufficient.  ;)
> >
> >
> > Thanks,
> >
> > ~Patrick
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100406/50b86bfa/attachment.html>


More information about the Snort-sigs mailing list