[Snort-users] Rules from Snort don't match Arachnids?

Max Vision vision at ...4...
Wed Apr 25 21:55:24 EDT 2001


In this particular case you will reduce false positives by using the !53:80 
port specification, however as a general rule I think it's a Bad Idea to 
ignore traffic with certain source ports.  There are too many tools and 
techniques that can exploit this behavior to evade IDS.

This particular rule, however, doesn't even have a content match, so it is 
especially prone to high false positives.  Until a better rule is created, 
I think it would be a good idea to change the attacker's port range from 
any to ":1024" (for this one specific class of attacks).  Most trojans are 
going to be used by kiddies on windows machines where the source port will 
by >1024.  This will also have the side affect of missing the common dns 
and http misfires that the snort.org ruleset was trying to avoid.

Thanks for brining this to light, I have now searched arachNIDS for the 
following query using the advanced search form:
  Grouping contains "trojan"
  DestinationPort contain "any"
  SourceIP contains "INTERNAL"
  Contents eq [blank]
Since I have edit ability in the db I then queried for a mass edit of the 
DestinationPort field and changed each case to ":1024".  This will "fix" 
all of the trojan rules that are the most prone to false positives.

I just completed the above and pushed these particular changes to the 
production website in about 5 minutes.  There are a bunch of other updates 
that will be up soon that I am dying to release though...


At 02:49 PM 4/25/2001 -0700, Tom Jacobsen wrote:
>Hi All,
>Snort picked up some events based on the following rule (rulebase comes 
>from snort.org).
>$EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming 
>Traffic"; flags: A+;  refer
>To get more information on this rule, I went to www.whitehats.com to 
>lookup arachnids 79.  But the database there says the snort rule should be
>alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg: 
>"IDS79/trojan-active-netmetro"; flags: SA;)
>What's the deal?  Who should I believe.  Are there more disconnects 
>between snort.org and arachnids?  The triggered events were probably 
>harmless they were from EXTERNAL:5031 to WebServer:443.  Most likely 
>innocent https traffic.
>What shall I do?  Thoughts? Comments?
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list