[Snort-users] Rules from Snort don't match Arachnids?
vision at ...4...
Wed Apr 25 21:55:24 EDT 2001
In this particular case you will reduce false positives by using the !53:80
port specification, however as a general rule I think it's a Bad Idea to
ignore traffic with certain source ports. There are too many tools and
techniques that can exploit this behavior to evade IDS.
This particular rule, however, doesn't even have a content match, so it is
especially prone to high false positives. Until a better rule is created,
I think it would be a good idea to change the attacker's port range from
any to ":1024" (for this one specific class of attacks). Most trojans are
going to be used by kiddies on windows machines where the source port will
by >1024. This will also have the side affect of missing the common dns
and http misfires that the snort.org ruleset was trying to avoid.
Thanks for brining this to light, I have now searched arachNIDS for the
following query using the advanced search form:
Grouping contains "trojan"
DestinationPort contain "any"
SourceIP contains "INTERNAL"
Contents eq [blank]
Since I have edit ability in the db I then queried for a mass edit of the
DestinationPort field and changed each case to ":1024". This will "fix"
all of the trojan rules that are the most prone to false positives.
I just completed the above and pushed these particular changes to the
production website in about 5 minutes. There are a bunch of other updates
that will be up soon that I am dying to release though...
At 02:49 PM 4/25/2001 -0700, Tom Jacobsen wrote:
>Snort picked up some events based on the following rule (rulebase comes
>$EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming
>Traffic"; flags: A+; refer
>To get more information on this rule, I went to www.whitehats.com to
>lookup arachnids 79. But the database there says the snort rule should be
>alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg:
>"IDS79/trojan-active-netmetro"; flags: SA;)
>What's the deal? Who should I believe. Are there more disconnects
>between snort.org and arachnids? The triggered events were probably
>harmless they were from EXTERNAL:5031 to WebServer:443. Most likely
>innocent https traffic.
>What shall I do? Thoughts? Comments?
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users