[Snort-users] Making snort smarter...

Jason security at ...5028...
Tue Apr 29 19:27:01 EDT 2003


I'm going to disagree with this thinking only to add a point of 
consideration.

Many times a vulnerability found in one application is found to affect 
the other in a similar asn possibly slightly different way some time later.

Take for example access to the NUL device on a MS platform. It affected 
apache too if it was running on a MS platform. If it is classified as an 
IIS issue and then applied to only IIS servers Apache dies and you miss it.

Of course it would be expected that the rule be revisited once something 
is found to affect a different platform/application but generally 
speaking the services tend to be vulnerable to similar attacks.

for MS _only_ services I can possibly see this justification but then 
again there is no certaintly that Apache or some other web service does 
not allow the vulnerability to manifest itself either. If the rule fires 
quite often then a somple change will tune it out.

It is a trade off that should be made with careful consideration and 
planning and ultimately requires research and tuning appropriate to the 
environment.


Paul Schmehl wrote:
> Sure.  All the web-iis.rules apply only to IIS.  Why would I want alerts 
> for apache running on Solaris when the attack only works on IIS?
> 
> CodeRed, Nimda, etc. all only affect IIS.  Right now all my webservers 
> alert for that stuff, when the only ones I care about are IIS servers.  
> An attacker can pound all day on an apache server looking for 
> iissamples.  Why would I care?
> 
> --On Tuesday, April 29, 2003 10:49:20 AM -0500 
> bmcdowell at ...7861... wrote:
> 
>> Not that I couldn't just look and find out for myself, but:
>>
>> Are there any 'web' rules that you want alerting for IIS servers?
>>
>> Obviously the reverse is the issue, but would such a fix break anything
>> else?
>>
>> -----Original Message-----
>> From: snort-users-admin at lists.sourceforge.net
>> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul
>> Schmehl
>> Sent: Tuesday, April 29, 2003 9:49 AM
>> To: Jason Haar; snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Making snort smarter...
>>
>>
>> Sure, I could do that, and then I'd have to cron it so that after
>> oinkmaster replaces the rules they get fixed again.
>>
>> Wouldn't it be simpler to just incorporate this as a change to the
>> ruleset?
>> That way it's fixed for everyone.
>>
>> --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar
>> <Jason.Haar at ...294...> wrote:
>>
>>> Paul Schmehl wrote:
>>>
>>>> For the specific example you give I think it would be entirely
>>>> appropriate to create a var called "$IIS_SERVERS" and then put all
>>>
>> the
>>
>>>> *other* webservers under $HTTP_SERVERS.  I've suggested this before,
>>>
>> and
>>
>>>> I'd love to see it implemented in the rules, because IIS is a beast
>>>
>> unto
>>
>>>> itself.
>>>
>>>
>>> Good idea - but as all IIS rules are within web-iis.rules, why not
>>
>> just
>>
>>> script a rewrite?
>>>
>>> echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]"
>>> sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules
>>>
>>>
>>> Jason
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by:ThinkGeek
>>> Welcome to geek heaven.
>>> http://thinkgeek.com/sf
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>> Paul Schmehl (pauls at ...6838...)
>> Adjunct Information Security Officer
>> The University of Texas at Dallas
>> AVIEN Founding Member
>> http://www.utdallas.edu
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 





More information about the Snort-users mailing list