[Snort-users] Snort rules over-use "any"?

Jason Haar Jason.Haar at ...294...
Thu Sep 7 00:15:47 EDT 2000


On Wed, Sep 06, 2000 at 03:27:04PM +0400, Daniel van Balen wrote:
> On Wed, Sep 06, 2000 at 11:41:09AM +1200, Jason Haar wrote:
> > I just got a couple of bogus alerts, and I think I can see why.
> > 
> > Most of the rules are of the form:
> > 
> > alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;)
> > 
> > Why any port number? Surely this should be 1024: instead of any? 
> > 
> 
> 	Most likely because the client doesn't need a well known port to be
> able to connect to the server, so it asks the kernel for any old port
> number. Or because the attacker can most likely pick any number he likes as
> the source port.

My point is that I got an alert on that which wasn't due to "aimspy"....

I feel this brings up a real point. IDS systems are rapidly becoming very
similar to anti-virus systems in that the thoroughness of the "pattern
files" and the lack of false hits is very important. What I was trying to
say was that IF "aimspy" always uses >1023 port where the above rule has
"any", then WHY use "any"?????

In the visions.rule file there is very little use of "1024:" for things that
are really almost always going to be >1024. 

-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
               



More information about the Snort-users mailing list