Snort mailing list archives
Re: false positive rules in snort 2.8.6.0
From: "Safwat Fahmy" <safwat.fahmy () safemedia com>
Date: Fri, 4 Jun 2010 16:57:17 -0400
Joel and Will: Just an example of the KAD problem This is one of the captor points( I do not know how to write rules for snort YET) 1st capture point for KAD: OUTGOING PACKET ONLY TCP Offset 0 1 2 3 4 5 Hex 0xe3 sz sz 0x00 0x00 0x01 Match on bytes(0,3to 5);;;Extended Mandatory Match on Mesg. Length: (sz= Data length -5) At the end of Mesg. Length either the packet will end or e3,e4,e5 or c5 byte will be found. payload length > 25 for Emule: OUTGOING +INCOMING 0th byte 1st byte 2nd byte Mandatory Mesg. Len. Mesh. Type e3 sz sz compute(refer 1A) TCP and: OUTGOING +INCOMING USED e3 0a none 25 bytes UDP e3 0c none 25 bytes UDP e3 96 none 6 bytes UDP e3 a2 none 6 bytes UDP I wish I know how to write snort rules...I would have written those rule for the group. Safwat -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Friday, June 04, 2010 4:32 PM To: Will Metcalf Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0 Wait, before we get into all of that... Are we sure you are running in "inline" mode? On Jun 4, 2010, at 4:28 PM, Will Metcalf wrote:
Ummmm so what is happening is that these rules are written to fingerprint a protocol. If I remember correctly dropping the traffic identified by these sigs isn't enough to cripple e-mule. Detection != Prevention... Another example.. fire up a sniffer and and use a tcp session splicing attack in InlineMode() against a target... By the time snort does reassembly the packets have already gone across the wire. Regards, Will On Fri, Jun 4, 2010 at 3:10 PM, Joel Esler <jesler () sourcefire com> wrote:Okay, so you aren't saying they are falsing, you are saying that the
rules
aren't dropping the traffic? On Jun 4, 2010, at 4:00 PM, Lawrence R. Hughes, Sr. wrote: Joel, Thanks for the quick reply... Although they are drop rules, the clients in both cases connect, allow searches and downloads. We do not use pcap, we thought that snort's coverage was enough. Our main concern is about the RIAA... Thanks, Larry ----- Original Message ----- From: Joel Esler To: Lawrence R. Hughes, Sr. Sent: Friday, June 04, 2010 3:55 PM Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0 What are they falsing on? Do you have a pcap? J On Jun 4, 2010, at 3:50 PM, Lawrence R. Hughes, Sr. wrote: Hi All, The following two (2) rules in p2p.rules are false positives... Be aware
of
the RIAA drop tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response" flow:established,from_server; content:"Server|3A| eMule"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:4;) drop udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 00
14|";
depth:4; offset:16; metadata:policy security-ips drop; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:5;) Thanks, Larry
---------------------------------------------------------------------------- --
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo_________________________________________ ______
Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com -- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com
---------------------------------------------------------------------------- --
ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com ---------------------------------------------------------------------------- -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false positive rules in snort 2.8.6.0 Lawrence R. Hughes, Sr. (Jun 04)
- Message not available
- Message not available
- Re: false positive rules in snort 2.8.6.0 Joel Esler (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Will Metcalf (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Joel Esler (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Safwat Fahmy (Jun 04)
- Re: false positive rules in snort 2.8.6.0 JJC (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Will Metcalf (Jun 04)
- Message not available
- Message not available