[Snort-users] The lack of a "client" and "server" definition in snort...

Jason Haar Jason.Haar at ...294...
Tue Jun 5 04:03:13 EDT 2001


I see lots of false positives on vision18.conf from rules such as:

alert TCP $EXTERNAL any -> $INTERNAL 2301 (msg:
"IDS244/http-compaq-insight-dot-dot"; content: "../"; classtype:

I get false positives off events such as a user downloading a HTML page that
references "<IMG SRC='../icons/xxx.gif'>". The client request goes from 
$INTERNAL port 2301 to $EXTERNAL port 80 - hence the match. 

However, that wasn't the intent of the rule. From left to right it's saying
that if an EXTERNAL CLIENT on any port makes a TCP connection to port 2301
on an INTERNAL SERVER, then... Well, that's the way I read it :-)

So, is such "stateful" matches possible? Is that what the stream2
preprocessor will eventually be used for? At the moment I assume it "only"
(trying not to offend anyone ;-) bundles lots of packets within a TCP
session to make them appear as one really large packet WRT rule matches?

I don't know if such "handedness" actually exists in the rules, but a
combination of "handedness" plus stream2 recording which host-port pair
instigated a session would probably do what I'm describing?

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list