[Snort-users] Snort rules over-use "any"?

Max Vision vision at ...4...
Thu Sep 7 02:34:54 EDT 2000


On Thu, 7 Sep 2000, Jason Haar wrote:
> In the visions.rule file there is very little use of "1024:" for things that
> are really almost always going to be >1024. 
> 
Like I always say, suggestions are *very* welcome :)  I agree with your
point, however, I don't know for a fact that this traffic will always come
in with unpriveledged source ports.  All of the trojan rules that don't
have packet traces are going to go away soon.  I want there to be clear
reasons for the values of each field in a given signature.  Trojan
signatures are currently derived from researched lists of ports used on
the server side (notably tlsecurity.net).

I also share your opinion about the reduction of false positives.

An example of the problem is this: I would go through and change many of
the rules to souce port 1024:, but as soon as I do this RFP will make
another whisker switch to do source porting (20, 53, 67, etc) and the
rules will be useless.  (just one example)  There are also numerous tools
to packetshape all traffic into arbitrary source ports.

Besides, making the switch from source any to source 1024: for common
rules like web server cgi attacks really doesn't win any performance
benefit - since 99%+ of the packets are going to be in the 1024: range
anyway, and packets that have odd ports would be of particular interest
anyway.

That said, I think your issue is primarily with the trojan rules - and
believe me I couldn't agree more! :)

You can look forward to significant cleanup in the database, as well as
some useful additions over the next few weeks.

Max Vision
http://whitehats.com/




More information about the Snort-users mailing list