[Snort-users] Snort rules over-use "any"?

Daniel van Balen vdaniel at ...191...
Wed Sep 6 07:27:04 EDT 2000


On Wed, Sep 06, 2000 at 11:41:09AM +1200, Jason Haar wrote:
> I just got a couple of bogus alerts, and I think I can see why.
> 
> Most of the rules are of the form:
> 
> alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;)
> 
> That says any internal address port 777 that sends TCP data to any external
> address on any port number should match....
> 

	It's a little more specific than that... I't says alert on any
SYN-ACK packet from "any internal address port 777 that sends TCP data to
any external address on any port number" which means that someone
succesfully established a tcp connection to a internal machine on port 777
(the port the trojan listens on).


> Why any port number? Surely this should be 1024: instead of any? 
> 

	Most likely because the client doesn't need a well known port to be
able to connect to the server, so it asks the kernel for any old port
number. Or because the attacker can most likely pick any number he likes as
the source port.

-spiff



More information about the Snort-users mailing list