Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Sigs] 19213 thousands of FP

From: JJC <cummingsj () gmail com>
Date: Tue, 27 Sep 2011 09:40:42 -0600
Not withstanding the validity of the F+ nature of the rule, I wanted to take
a quick second to point out a few things here, for the benefit of newer
users on the list etc...

As a matter of IPS best practice and tuning, there will be many valid rules
that will not apply to your infrastructure and that will still alert based
on your traffic.  In this case a simple question should be asked when you
see alerts - "Do I have an IpSwitch IMail Server?", I suspect that the
answer to that will more than likely be no and as such this sid should
simply be disabled.

The second item would simply be to utilize one of the VRT base policies
"balanced, security, or connectivity".  Doing so would have had this rule
disabled by default and thus would not have produced the F+ that is noted.

All of this being said, this rule could use some enhancement and that is
being reviewed now.

JJC

On Tue, Sep 27, 2011 at 9:18 AM, matan monitz <mmonitz () gmail com> wrote:


hello
can someone please explain the logic behind the sig?
the ?Q? is very very common and there is no minimal length on the sig
quoting from secunia:

* 2) A boundary error in the List Mailer (imailsrv.exe) can be exploited
to cause a stack-based buffer overflow via an overly-long string in the
Subject field following the "?Q?" operator.*

you can't just alert on this operator appearing in the subject! (btw, ill
be happy if someone can tell me what ?Q? means)

p.s. the pcre should also be removed from the sig




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: