Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False positives???

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 04 Sep 2002 19:03:26 -0400
A lot of the snort rules philosophy is to detect and log the attempt, even if it is unsuccessful.
One reason for that is it is useful to know what things attackers are trying on your network, even when they aren't working, and another is that most successful attacks are predicated by several unsuccessful ones. Logging all of the attacks gives you a better chance of detecting the real IP of the attacker, in the event that some of them are using spoofed IPs, but others are not. 

A hypothetical scenario:
an attacker tries a tcp/ip sendmail root exploit and fails. But since it is tcp based, it must be from a valid IP. He tries a similar type of root exploit on your DNS server's tcp port, again, real IP, and again, fails. 
He tries a handful of webserver exploits, failing at those.
A short while later he's frustrated at not getting in, and decides to synflood you using syn packets from forged IPs.
Even though the sendmail/DNS attacks failed, they give you a good hint who might have caused the synflood shortly afterwards.
So logging suspicious but unsuccessful attack attempts is still a valuable thing. Don't discount them as "false alarms", since their classtype should indicate "attempted-admin" not "successful-admin". Read the classtypes for rules.. they tell you a lot about how you should react. 



At 03:00 PM 9/4/2002 -0700, Latha K wrote:
I was playing with Snort 1.8.7 and noticed this. There is a particular attack in <ftp://ftp.rules>ftp.rules file "msg:FTP \RETR 1MB\". I believe it indicates an attack should be raised if someone tries to open a FTP session and retrive the file "1 MB".
I issued an FTP "Get" command to retrive the "1 MB" file. This file does not exist in my directory and it returns an message "550 1MB: No such file or directory." indicating the "GET" is not successfull.
But the alert is logged in the snort log even though the attempt is not sucessfull. Is it not possible to co-relate the Response of the FTP command and raise alert only it it was successfull???
I think there are quite a few of attacks like this for which you can know my seeing the response if attack is sucessfull and then raise alerts? 

Any comments

Latha




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: