Snort mailing list archives
plain text in content option triggering false alerts
From: Dan <sophie_bo () earthlink net>
Date: Sat, 13 Dec 2003 10:42:29 -0600 (GMT-06:00)
Hi, I have a question about whether or not I can tune plain text content for greater granularity and fewer false alerts. For example, when searching for netcat usage on the network, I use the following snort rule: WEB-MISC nc.exe attempt Desc: This event is generated when an attempt is made to execute Netcat via a web session. Signature: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:5;) Problem: Instead of triggering only on ânc.exeâ, alerts are being generated any time ânc.exeâ is part of a word. Sample payload output from three different alerts: <WMIValue>rcsync.exe</WMIValue <WMIValue>WinVNC.exe</WMIVal <WMIValue>Sync.exe I only want the alert triggered when "nc.exe" is found, not when it is found as part of another word. This applies to alot of other rules that use plain text content for triggering alerts. Any time the plain text is searched it will trigger an alert even if the plain text is inside another word. Another example is the chat IRC NICK change rule, the content option "nick" is triggered by: "Nick Jones" "nickle" "Dominick" How do I tell it to search for only "nick" or only "nc.exe", and not trigger when its part of another word? Thanks, Dan ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- plain text in content option triggering false alerts Dan (Dec 13)