[Snort-users] Snort rules over-use "any"?

Guy Bruneau bruneau at ...126...
Thu Sep 7 16:48:22 EDT 2000


I agree with Max the fact that if a signature doesn't have a packet trace (data)
and is only based on a port is kind of useless. For example, from time to time it
happens an ephemeral port is use a the only thing in the signature is the port,
and provides an infinite amount of false positive. The packet trace would insure
this never happens (a least I would hope so), reducing the false positive to
hopefully zero.

Guy

Max Vision wrote:

> On Thu, 7 Sep 2000, Jason Haar wrote:
> > In the visions.rule file there is very little use of "1024:" for things that
> > are really almost always going to be >1024.
> >
> Like I always say, suggestions are *very* welcome :)  I agree with your
> point, however, I don't know for a fact that this traffic will always come
> in with unpriveledged source ports.  All of the trojan rules that don't
> have packet traces are going to go away soon.  I want there to be clear
> reasons for the values of each field in a given signature.  Trojan
> signatures are currently derived from researched lists of ports used on
> the server side (notably tlsecurity.net).
>
> I also share your opinion about the reduction of false positives.
>
> An example of the problem is this: I would go through and change many of
> the rules to souce port 1024:, but as soon as I do this RFP will make
> another whisker switch to do source porting (20, 53, 67, etc) and the
> rules will be useless.  (just one example)  There are also numerous tools
> to packetshape all traffic into arbitrary source ports.
>
> Besides, making the switch from source any to source 1024: for common
> rules like web server cgi attacks really doesn't win any performance
> benefit - since 99%+ of the packets are going to be in the 1024: range
> anyway, and packets that have odd ports would be of particular interest
> anyway.
>
> That said, I think your issue is primarily with the trojan rules - and
> believe me I couldn't agree more! :)
>
> You can look forward to significant cleanup in the database, as well as
> some useful additions over the next few weeks.
>
> Max Vision
> http://whitehats.com/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Guy Bruneau
Ma page est a/My page at: http://www.penguinpowered.com/~bruneau


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000907/cdf9bc23/attachment.html>


More information about the Snort-users mailing list