Snort mailing list archives
Re: SID 13923 - Bad Rule
From: Matt Olney <molney () sourcefire com>
Date: Tue, 6 Apr 2010 16:34:39 -0400
I thought I was "The Jerk". :( On Tue, Apr 6, 2010 at 4:20 PM, evilghost () packetmail net < evilghost () packetmail net> wrote:
Hi Pat, thanks for rehashing what I said with more words, as if I didn't really quite understand what I was pointing out. I'm a little snippy because I have a right to be, "you" (SourceFire, the company) just released a VRT subscription release (of which I pay a substantial amount of money for) which successfully (with the confidence of "policy security-ips drop") classified all valid ingress SMTP traffic with the exclusion of the EHLO rule, as hostile. Forgive me if I'm not smiles and sunshine. Honestly, I think I did pretty good and not lambasting "you" (SourceFire, the company) in my initial email for this gross oversight. It's pretty evident in this case this subscription release wasn't sufficiently QA'd. To quote you, the problem "is immediately obvious by looking at the rule" -evilghost (the jerk) Patrick Mullen wrote:Hello, SID 13923 seems to generate quite a lot of false positives.You are correct that the rule alerts on rfc-compliant traffic. This is immediately obvious by looking at the rule. The rule was modified from its previous form which had pcre:"/^HELO\x20(\x00|.\x00)/smi" to its new form which currently has "content:"HELO "; content:!"|00|"; within:2; as part of a lot of performance changes. Obviously, this change does not fit the previous rule's intent due to the "!" modifier on the content match. A mistake was made and then lost in the mix. Thank you for pointing it out; it will be fixed in the next release and an additional speed increase that was realized during review will be added to the rule. Next time simply letting us know there is an obvious problem with the rule without adding the "...to be a jerk..." part should be sufficient. ;) Thanks, ~Patrick
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)
- Re: SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)
- Re: SID 13923 - Bad Rule Patrick Mullen (Apr 06)
- Re: SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)
- Re: SID 13923 - Bad Rule Matt Olney (Apr 06)
- Re: SID 13923 - Bad Rule Patrick Mullen (Apr 06)
- Re: SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)