Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SID 23115 appears to be triggering to soon with 2.9.1.2 SNORT using latest rules

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 26 Jun 2012 10:20:26 -0400
Robert,

We've reopened the bug, we'll take a look.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jun 26, 2012, at 1:08 AM, Robert Cotter <Robert.Cotter () endace com> wrote:


Looking at a pcap of the traffic between the server and client  there was only 1 login attempts in the last 15 
seconds before the trigger, and that login triggered the alert.
 
I read the rule as being tailored to track login attempts per source client IP to the server over the last 5 seconds. 
Correct??
 
Is there a problem with the rule ?
 
alert tcp any any -> $SQL_SERVERS 3306 ( msg:"SQL MySQL/MariaDB client authentication bypass 
attempt";flow:to_server,established;content:"|00 00 01|";depth:3;offset:1;fast_pattern;content:"|00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";within:23;distance:9;pcre:"/^\w+\x00/iRm";detection_filter:track 
by_src,count 100, seconds 5;metadata:policy balanced-ips drop, policy security-ips drop, service 
mysql;reference:cve,2012-2122;classtype:attempted-admin;sid:23115;rev:2; )
 
Regards
 
-- 
Robert Cotter

 

-- 
Robert Cotter
Sales Engineer APAC - Endace

robert.cotter () endace com 
DDI: +64 9 926 2931   Mob: +64 21 675 550 
www.endace.com; LinkedIn; follow us on Twitter

power to see all

This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn’t 
addressed to you, you mustn’t use, distribute or copy any part of it. If you’ve received it in error please delete it 
(along with any attachments) and inform us of the error. Emails aren’t secure and can’t be guaranteed to be error 
free as they can be intercepted, amended, lost or destroyed. It’s your responsibility to check this email and any 
attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: