Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: false positive rules in snort 2.8.6.0

From: "Safwat Fahmy" <safwat.fahmy () safemedia com>
Date: Fri, 4 Jun 2010 16:57:17 -0400
Joel and Will:

Just an example of the KAD problem This is one of the captor points( I do
not know how to write rules for snort YET)

1st capture point for KAD:
OUTGOING PACKET ONLY TCP
Offset  0       1       2       3       4       5
Hex     0xe3    sz      sz      0x00    0x00    0x01
Match on bytes(0,3to 5);;;Extended Mandatory Match on Mesg. Length: (sz=
Data length -5) 
At the end of Mesg. Length either the packet will end or e3,e4,e5 or c5 byte
will be found.
payload length > 25


for Emule:
OUTGOING +INCOMING      
0th byte        1st byte        2nd byte        Mandatory Mesg. Len.
Mesh. Type
e3      sz      sz      compute(refer 1A)       TCP

and:

OUTGOING +INCOMING   USED 
e3      0a      none    25 bytes        UDP
e3      0c      none    25 bytes        UDP
e3      96      none    6 bytes UDP
e3      a2      none    6 bytes UDP


I wish I know how to write snort rules...I would have written those rule for
the group.

Safwat



-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Friday, June 04, 2010 4:32 PM
To: Will Metcalf
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0

Wait, before we get into all of that...  Are we sure you are running in
"inline" mode?


On Jun 4, 2010, at 4:28 PM, Will Metcalf wrote:


Ummmm so what is happening is that these rules are written to
fingerprint a protocol.  If I remember correctly dropping the traffic
identified by these sigs isn't enough to cripple e-mule.  Detection !=
Prevention...  Another example.. fire up a sniffer and and use a tcp
session splicing attack in InlineMode() against a target...  By the
time snort does reassembly the packets have already gone across the
wire.

Regards,

Will

On Fri, Jun 4, 2010 at 3:10 PM, Joel Esler <jesler () sourcefire com> wrote:

Okay, so you aren't saying they are falsing, you are saying that the

rules

aren't dropping the traffic?

On Jun 4, 2010, at 4:00 PM, Lawrence R. Hughes, Sr. wrote:

Joel,

Thanks for the quick reply...

Although they are drop rules, the clients in both cases connect, allow
searches and downloads.

We do not use pcap, we thought that snort's coverage was enough.

Our main concern is about the RIAA...

Thanks,
Larry


----- Original Message -----
From: Joel Esler
To: Lawrence R. Hughes, Sr.
Sent: Friday, June 04, 2010 3:55 PM
Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0
What are they falsing on?  Do you have a pcap?
J
On Jun 4, 2010, at 3:50 PM, Lawrence R. Hughes, Sr. wrote:

Hi All,

The following two (2) rules in p2p.rules are false positives... Be aware

of

the RIAA

drop tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server
response"
 flow:established,from_server; content:"Server|3A| eMule";
 fast_pattern:only; metadata:policy security-ips drop;
 reference:url,www.emule-project.net; classtype:policy-violation;
 sid:2587; rev:4;)
drop udp $HOME_NET any -> $EXTERNAL_NET 41170
(msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 00

14|";

 depth:4; offset:16; metadata:policy security-ips drop;
 reference:url,openlito.sourceforge.net; reference:url,www.blubster.com;
 classtype:policy-violation; sid:3459; rev:5;)


Thanks,
Larry





----------------------------------------------------------------------------
--

ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:


http://p.sf.net/sfu/thinkgeek-promo_________________________________________
______

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
302-223-5974
Jabber: jesler () sourcefire com


--
Joel Esler
302-223-5974
Jabber: jesler () sourcefire com



----------------------------------------------------------------------------
--

ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
302-223-5974
Jabber: jesler () sourcefire com


----------------------------------------------------------------------------
--
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: