[Snort-users] Why flags PA?

Reckhard, Tobias Reckhard at ...861...
Wed Nov 29 07:48:16 EST 2000


Hi Al, list.

> Which Cybercop scanner checks did it miss? At least some of the Snort
> sig's for it rely on text supplied by the scanner, for example: ehlo
> cybercop|0a|quit|0a| for the scanner-cybercop-smtp-ehlo signature. 
> All of these checks which provide text like this can be modified 
> to use other commands etc. Did he modify the scanner at all?
> 
I don't know. I've forwarded your question to him and asked for an answer.
I'll give it to you when I've received it myself. I remember one specific
check for a CGI-BIN vulnerability of some sort, which I thought wouldn't be
Cybercop-specific, since it can be triggered by using a browser (MS IE). The
Cybercop-IDS-test-check doesn't set the PSH bit in the TCP headers, though,
so it passes Snort, even though I assume the vulnerability may well be
exploited just the same. The real question is: why is the PSH flag required
by so many Snort rules when it is pretty much bogus, from what I gather, and
seemingly hardly a good indication of an attack pattern. If the goal is to
reduce the number of false positives, I'd like to know the reasoning behind
that.

Cheers
Tobias




More information about the Snort-users mailing list