[Snort-sigs] SID 13923 - Bad Rule
molney at ...435...
Tue Apr 6 16:34:39 EDT 2010
I thought I was "The Jerk". :(
On Tue, Apr 6, 2010 at 4:20 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:
> Hi Pat, thanks for rehashing what I said with more words, as if I didn't
> really quite understand what I was pointing out. I'm a little snippy
> because I have a right to be, "you" (SourceFire, the company) just
> released a VRT subscription release (of which I pay a substantial amount
> of money for) which successfully (with the confidence of "policy
> security-ips drop") classified all valid ingress SMTP traffic with the
> exclusion of the EHLO rule, as hostile.
> Forgive me if I'm not smiles and sunshine. Honestly, I think I did
> pretty good and not lambasting "you" (SourceFire, the company) in my
> initial email for this gross oversight.
> It's pretty evident in this case this subscription release wasn't
> sufficiently QA'd. To quote you, the problem "is immediately obvious by
> looking at the rule"
> -evilghost (the jerk)
> Patrick Mullen wrote:
> >>> Hello, SID 13923 seems to generate quite a lot of false positives.
> > You are correct that the rule alerts on rfc-compliant traffic. This
> > is immediately obvious by looking at the rule. The rule was modified
> > from its previous form which had pcre:"/^HELO\x20(\x00|.\x00)/smi" to
> > its new form which currently has "content:"HELO "; content:!"|00|";
> > within:2; as part of a lot of performance changes. Obviously, this
> > change does not fit the previous rule's intent due to the "!" modifier
> > on the content match. A mistake was made and then lost in the mix.
> > Thank you for pointing it out; it will be fixed in the next release
> > and an additional speed increase that was realized during review will
> > be added to the rule.
> > Next time simply letting us know there is an obvious problem with the
> > rule without adding the "...to be a jerk..." part should be
> > sufficient. ;)
> > Thanks,
> > ~Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs