[Snort-users] False positives???

Matt Kettler mkettler at ...4108...
Wed Sep 4 16:03:02 EDT 2002

A lot of the snort rules philosophy is to detect and log the attempt, even 
if it is unsuccessful.

One reason for that is it is useful to know what things attackers are 
trying on your network, even when they aren't working, and another is that 
most successful attacks are predicated by several unsuccessful ones. 
Logging all of the attacks gives you a better chance of detecting the real 
IP of the attacker, in the event that some of them are using spoofed IPs, 
but others are not.

A hypothetical scenario:

an attacker tries a tcp/ip sendmail root exploit and fails. But since it is 
tcp based, it must be from a valid IP.
He tries a similar type of root exploit on your DNS server's tcp port, 
again, real IP, and again, fails.
He tries a handful of webserver exploits, failing at those.

A short while later he's frustrated at not getting in, and decides to 
synflood you using syn packets from forged IPs.

Even though the sendmail/DNS attacks failed, they give you a good hint who 
might have caused the synflood shortly afterwards.

So logging suspicious but unsuccessful attack attempts is still a valuable 
thing. Don't discount them as "false alarms", since their classtype should 
indicate "attempted-admin" not "successful-admin". Read the classtypes for 
rules.. they tell you a lot about how you should react.

At 03:00 PM 9/4/2002 -0700, Latha K wrote:

>I was playing with Snort 1.8.7 and noticed this. There is a particular 
>attack in <ftp://ftp.rules>ftp.rules file "msg:FTP \RETR 1MB\". I believe 
>it indicates an attack should be raised if someone tries to open a FTP 
>session and retrive the file "1 MB".
>I issued an FTP "Get" command to retrive the "1 MB" file. This file does 
>not exist in my directory and it returns an message "550 1MB: No such file 
>or directory." indicating the "GET" is not successfull.
>But the alert is logged in the snort log even though the attempt is not 
>sucessfull. Is it not possible to co-relate the Response of the FTP 
>command and raise alert only it it was successfull???
>I think there are quite a few of attacks like this for which you can know 
>my seeing the response if attack is sucessfull and then raise alerts?
>Any comments

More information about the Snort-users mailing list