[Snort-users] Snort rules over-use "any"?
bruneau at ...126...
Thu Sep 7 16:48:22 EDT 2000
I agree with Max the fact that if a signature doesn't have a packet trace (data)
and is only based on a port is kind of useless. For example, from time to time it
happens an ephemeral port is use a the only thing in the signature is the port,
and provides an infinite amount of false positive. The packet trace would insure
this never happens (a least I would hope so), reducing the false positive to
Max Vision wrote:
> On Thu, 7 Sep 2000, Jason Haar wrote:
> > In the visions.rule file there is very little use of "1024:" for things that
> > are really almost always going to be >1024.
> Like I always say, suggestions are *very* welcome :) I agree with your
> point, however, I don't know for a fact that this traffic will always come
> in with unpriveledged source ports. All of the trojan rules that don't
> have packet traces are going to go away soon. I want there to be clear
> reasons for the values of each field in a given signature. Trojan
> signatures are currently derived from researched lists of ports used on
> the server side (notably tlsecurity.net).
> I also share your opinion about the reduction of false positives.
> An example of the problem is this: I would go through and change many of
> the rules to souce port 1024:, but as soon as I do this RFP will make
> another whisker switch to do source porting (20, 53, 67, etc) and the
> rules will be useless. (just one example) There are also numerous tools
> to packetshape all traffic into arbitrary source ports.
> Besides, making the switch from source any to source 1024: for common
> rules like web server cgi attacks really doesn't win any performance
> benefit - since 99%+ of the packets are going to be in the 1024: range
> anyway, and packets that have odd ports would be of particular interest
> That said, I think your issue is primarily with the trojan rules - and
> believe me I couldn't agree more! :)
> You can look forward to significant cleanup in the database, as well as
> some useful additions over the next few weeks.
> Max Vision
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Ma page est a/My page at: http://www.penguinpowered.com/~bruneau
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users