[Snort-users] false positive rules in snort 2.8.6.0

Will Metcalf william.metcalf at ...11827...
Fri Jun 4 17:30:17 EDT 2010


Ummm I disagree.... Based on the way  stream reassembly is performed  
in snort.  You create and process your uber packet after the real  
packets have already gone across the wire. If configured to do so you  
can drop any other packets sent on the stream but there is room for  
evasion there.

Regards,

Will

Sent from my iPhone

On Jun 4, 2010, at 4:07 PM, JJC <cummingsj at ...11827...> wrote:

> In a response model as apposed to an inline model sure... but if you  
> are inline then the packet doesn't make it through before Snort  
> inspects and / or takes action against it.
>
> On Fri, Jun 4, 2010 at 2:28 PM, Will Metcalf <william.metcalf at ...11827... 
> > wrote:
> Ummmm so what is happening is that these rules are written to
> fingerprint a protocol.  If I remember correctly dropping the traffic
> identified by these sigs isn't enough to cripple e-mule.  Detection !=
> Prevention...  Another example.. fire up a sniffer and and use a tcp
> session splicing attack in InlineMode() against a target...  By the
> time snort does reassembly the packets have already gone across the
> wire.
>
> Regards,
>
> Will
>
> On Fri, Jun 4, 2010 at 3:10 PM, Joel Esler <jesler at ...1935...>  
> wrote:
> > Okay, so you aren't saying they are falsing, you are saying that  
> the rules
> > aren't dropping the traffic?
> >
> > On Jun 4, 2010, at 4:00 PM, Lawrence R. Hughes, Sr. wrote:
> >
> > Joel,
> >
> > Thanks for the quick reply...
> >
> > Although they are drop rules, the clients in both cases connect,  
> allow
> > searches and downloads.
> >
> > We do not use pcap, we thought that snort's coverage was enough.
> >
> > Our main concern is about the RIAA...
> >
> > Thanks,
> > Larry
> >
> >
> > ----- Original Message -----
> > From: Joel Esler
> > To: Lawrence R. Hughes, Sr.
> > Sent: Friday, June 04, 2010 3:55 PM
> > Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0
> > What are they falsing on?  Do you have a pcap?
> > J
> > On Jun 4, 2010, at 3:50 PM, Lawrence R. Hughes, Sr. wrote:
> >
> > Hi All,
> >
> > The following two (2) rules in p2p.rules are false positives... Be  
> aware of
> > the RIAA
> >
> > drop tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey  
> server
> > response"
> >  flow:established,from_server; content:"Server|3A| eMule";
> >  fast_pattern:only; metadata:policy security-ips drop;
> >  reference:url,www.emule-project.net; classtype:policy-violation;
> >  sid:2587; rev:4;)
> > drop udp $HOME_NET any -> $EXTERNAL_NET 41170
> > (msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14 
> |";
> >  depth:4; offset:16; metadata:policy security-ips drop;
> >  reference:url,openlito.sourceforge.net; reference:url,www.blubster.com 
> ;
> >  classtype:policy-violation; sid:3459; rev:5;)
> >
> >
> > Thanks,
> > Larry
> >
> >
> >
> >  
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> > ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > lucky parental unit.  See the prize list and enter to win:
> > http://p.sf.net/sfu/thinkgeek-promo_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> > Joel Esler
> > 302-223-5974
> > Jabber: jesler at ...1935...
> >
> >
> > --
> > Joel Esler
> > 302-223-5974
> > Jabber: jesler at ...1935...
> >
> >  
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> > ThinkGeek and WIRED's GeekDad team up for the Ultimate
> > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> > lucky parental unit.  See the prize list and enter to win:
> > http://p.sf.net/sfu/thinkgeek-promo
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100604/6919c0a1/attachment.html>


More information about the Snort-users mailing list