Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Some broken rules in 1.8-beta7 Build 36

From: Phil Wood <cpw () lanl gov>
Date: Mon, 2 Jul 2001 16:41:59 -0600
According to www.whitehats.com:

IDS253 and IDS252 specifies (port >= 1024) -> (port any)
In snort rule speak, the source port would be represented by:

  1024:, not :1024 (<=1024)

ddos.rules:alert tcp $INTERNAL :1024 -> $EXTERNAL any (msg: "DDOS shaft synflood outgoing"; flags: S; seq: 674711609; 
reference: arachnids,253; classtype: attempted-dos; sid:241; rev:1;)
===============================^ change to 1024:


ddos.rules:alert tcp $EXTERNAL :1024 -> $INTERNAL any (msg: "DDOS shaft synflood incoming"; flags: S; seq: 674711609; 
reference: arachnids,252; classtype: attempted-dos; sid:242; rev:1;)
===============================^ change to 1024:


Assuming the smtp server is INTERNAL, then most likely the port assigned by
the smtp OS is >= 1024, or (1024:) and this rule is looking at the response
from the EXTERNAL ident server.  I think the explanation at whitehats is
not correct in regards the internal port number range.

vision.rules:alert TCP $EXTERNAL 113 -> $INTERNAL :1024 (msg: "IDS123/smtp_smtp-exploit8610"; flags: A+; content: 
"Croot|0d0a|Mprog, P=/bin/"; classtype: system-attempt; reference: arachnids,123;)
==================================================^ change to 1024:

The responses to most web traffic are sent to ports >= 1024.  Consequently,
I would think that the destination port in the rule below should be 1024:. 

vision.rules:alert TCP $EXTERNAL 80 -> $INTERNAL :1024 (msg: "IDS496/client_client-netscape-gif-comment"; flags: P+; 
content: "GIF89a|0a|"; content: "parent.frames"; nocase; content: "form"; nocase; classtype: client-attempt; reference: 
arachnids,496;)
==================================================^ change to 1024:


I could be wrong.  Just want some clarification.  

Thanks,

Phil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: