The lack of a "client" and "server" definition in snort...

[Jason Haar <Jason.Haar () trimble co nz>]

I see lots of false positives on vision18.conf from rules such as:

alert TCP $EXTERNAL any -> $INTERNAL 2301 (msg:
"IDS244/http-compaq-insight-dot-dot"; content: "../"; classtype:

I get false positives off events such as a user downloading a HTML page that
references "<IMG SRC='../icons/xxx.gif'>". The client request goes from 
$INTERNAL port 2301 to $EXTERNAL port 80 - hence the match. 

However, that wasn't the intent of the rule. From left to right it's saying
that if an EXTERNAL CLIENT on any port makes a TCP connection to port 2301
on an INTERNAL SERVER, then... Well, that's the way I read it :-)

So, is such "stateful" matches possible? Is that what the stream2
preprocessor will eventually be used for? At the moment I assume it "only"
(trying not to offend anyone ;-) bundles lots of packets within a TCP
session to make them appear as one really large packet WRT rule matches?

I don't know if such "handedness" actually exists in the rules, but a
combination of "handedness" plus stream2 recording which host-port pair
instigated a session would probably do what I'm describing?

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users