[Snort-users] Why flags PA?

Reckhard, Tobias Reckhard at ...861...
Wed Nov 29 07:48:16 EST 2000

Hi Al, list.

> Which Cybercop scanner checks did it miss? At least some of the Snort
> sig's for it rely on text supplied by the scanner, for example: ehlo
> cybercop|0a|quit|0a| for the scanner-cybercop-smtp-ehlo signature. 
> All of these checks which provide text like this can be modified 
> to use other commands etc. Did he modify the scanner at all?
I don't know. I've forwarded your question to him and asked for an answer.
I'll give it to you when I've received it myself. I remember one specific
check for a CGI-BIN vulnerability of some sort, which I thought wouldn't be
Cybercop-specific, since it can be triggered by using a browser (MS IE). The
Cybercop-IDS-test-check doesn't set the PSH bit in the TCP headers, though,
so it passes Snort, even though I assume the vulnerability may well be
exploited just the same. The real question is: why is the PSH flag required
by so many Snort rules when it is pretty much bogus, from what I gather, and
seemingly hardly a good indication of an attack pattern. If the goal is to
reduce the number of false positives, I'd like to know the reasoning behind


More information about the Snort-users mailing list