[Snort-users] Rules from Snort don't match Arachnids?

Max Vision vision at ...4...
Wed Apr 25 22:12:59 EDT 2001


Two quick points.

1> I messed up and am changing this back ASAP.  It is supposed to be
"1024:" not ":1024".

2> The rules are also different in that I am watching for SYN+ACK instead
of just any ACK packet, so false positives are already greatly reduced in
the first place, since the DNS and HTTP false postiives will not occur
(dns and web servers don't initiate connections in to your internat
network, they send response traffic).

Hm, let's see if I can do this in five minutes again... I'll kill the
downloads until it's fixed.


On Wed, 25 Apr 2001, Max Vision wrote:

> Hi,
> In this particular case you will reduce false positives by using the !53:80
> port specification, however as a general rule I think it's a Bad Idea to
> ignore traffic with certain source ports.  There are too many tools and
> techniques that can exploit this behavior to evade IDS.
> This particular rule, however, doesn't even have a content match, so it is
> especially prone to high false positives.  Until a better rule is created,
> I think it would be a good idea to change the attacker's port range from
> any to ":1024" (for this one specific class of attacks).  Most trojans are
> going to be used by kiddies on windows machines where the source port will
> by >1024.  This will also have the side affect of missing the common dns
> and http misfires that the snort.org ruleset was trying to avoid.
> Thanks for brining this to light, I have now searched arachNIDS for the
> following query using the advanced search form:
>   Grouping contains "trojan"
>   DestinationPort contain "any"
>   SourceIP contains "INTERNAL"
>   Contents eq [blank]
> Since I have edit ability in the db I then queried for a mass edit of the
> DestinationPort field and changed each case to ":1024".  This will "fix"
> all of the trojan rules that are the most prone to false positives.
> I just completed the above and pushed these particular changes to the
> production website in about 5 minutes.  There are a bunch of other updates
> that will be up soon that I am dying to release though...
> Max
> At 02:49 PM 4/25/2001 -0700, Tom Jacobsen wrote:
> >Hi All,
> >
> >Snort picked up some events based on the following rule (rulebase comes
> >from snort.org).
> >
> >$EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming
> >Traffic"; flags: A+;  refer
> >ence:arachnids,79;)
> >
> >To get more information on this rule, I went to www.whitehats.com to
> >lookup arachnids 79.  But the database there says the snort rule should be
> >
> >alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg:
> >"IDS79/trojan-active-netmetro"; flags: SA;)
> >
> >What's the deal?  Who should I believe.  Are there more disconnects
> >between snort.org and arachnids?  The triggered events were probably
> >harmless they were from EXTERNAL:5031 to WebServer:443.  Most likely
> >innocent https traffic.
> >
> >What shall I do?  Thoughts? Comments?
> >
> >Thanks,
> >Tom.
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >http://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list