[Snort-users] Conflicting sids?

sekure sekure at ...11827...
Mon Sep 27 05:39:20 EDT 2004


Question: How does Snort handle two different rules with the same sid?

Scenario:  I have a few Snort sensors capable of seeing traffic from
users on the LAN to the web proxy, and also traffic from the web proxy
to external web servers.

Consider the recent JPEG heap overflow signature, sid 2705: alert tcp
$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENTJPEG parser
heap overflow attempt";
flow:from_server,established;content:"image/jp";
nocase;pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi";reference:bugtraq,11173;
reference:cve,CAN-2004-0200;reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;classtype:attempted-admin;
sid:2705; rev:2;)

This rule works fine and I see it firing sometimes (thankfully on
False Positives for now) on my external segment (external web ->
proxy).  I also rewrote this rule for my internal segment, and stuck
it in my local rules file, substituting the ip of my proxy for
$EXTERNAL_NET, and the proxy port for $HTTP_PORTS.  Theoretically, for
every attempt to retrieve a JPG I should be seeing two alerts, one as
the proxy gets the file from a remote server and one as the user gets
it from the proxy.

The problem is that I only see it from the external server to the
proxy, and NOT on the inside....  Is this because the instance of
snort running internally sees two rules with the sid of 2705 (one in
web-clients.rules, as above and one in local.rules, modified), or am I
missing something else?

Thanks..




More information about the Snort-users mailing list