Snort mailing list archives
Re: false positive rules in snort 2.8.6.0
From: JJC <cummingsj () gmail com>
Date: Fri, 4 Jun 2010 15:07:10 -0600
In a response model as apposed to an inline model sure... but if you are inline then the packet doesn't make it through before Snort inspects and / or takes action against it. On Fri, Jun 4, 2010 at 2:28 PM, Will Metcalf <william.metcalf () gmail com>wrote:
Ummmm so what is happening is that these rules are written to fingerprint a protocol. If I remember correctly dropping the traffic identified by these sigs isn't enough to cripple e-mule. Detection != Prevention... Another example.. fire up a sniffer and and use a tcp session splicing attack in InlineMode() against a target... By the time snort does reassembly the packets have already gone across the wire. Regards, Will On Fri, Jun 4, 2010 at 3:10 PM, Joel Esler <jesler () sourcefire com> wrote:Okay, so you aren't saying they are falsing, you are saying that therulesaren't dropping the traffic? On Jun 4, 2010, at 4:00 PM, Lawrence R. Hughes, Sr. wrote: Joel, Thanks for the quick reply... Although they are drop rules, the clients in both cases connect, allow searches and downloads. We do not use pcap, we thought that snort's coverage was enough. Our main concern is about the RIAA... Thanks, Larry ----- Original Message ----- From: Joel Esler To: Lawrence R. Hughes, Sr. Sent: Friday, June 04, 2010 3:55 PM Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0 What are they falsing on? Do you have a pcap? J On Jun 4, 2010, at 3:50 PM, Lawrence R. Hughes, Sr. wrote: Hi All, The following two (2) rules in p2p.rules are false positives... Be awareofthe RIAA drop tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response" flow:established,from_server; content:"Server|3A| eMule"; fast_pattern:only; metadata:policy security-ips drop; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:4;) drop udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 0014|";depth:4; offset:16; metadata:policy security-ips drop; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:5;) Thanks, Larry------------------------------------------------------------------------------ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win:http://p.sf.net/sfu/thinkgeek-promo_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com -- Joel Esler 302-223-5974 Jabber: jesler () sourcefire com------------------------------------------------------------------------------ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false positive rules in snort 2.8.6.0 Lawrence R. Hughes, Sr. (Jun 04)
- Message not available
- Message not available
- Re: false positive rules in snort 2.8.6.0 Joel Esler (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Will Metcalf (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Joel Esler (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Safwat Fahmy (Jun 04)
- Re: false positive rules in snort 2.8.6.0 JJC (Jun 04)
- Re: false positive rules in snort 2.8.6.0 Will Metcalf (Jun 04)
- Message not available
- Message not available