Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False positives due to stream4 issue?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 30 Apr 2003 13:48:42 +1200
On Tue, Apr 29, 2003 at 08:30:11PM -0400, Matt Kettler wrote:

At 11:50 AM 4/30/2003 +1200, Jason Haar wrote:

I've noticed that the FPs I'm getting for "SMTP From comment overflow 
attempt"
look an entire mail message in one packet. ACID shows me the following:


Are you using snort 2.0? the rule in 2.0 shouldn't have fired on this. It 
should also be looking for a pair of closely spaced ( ) characters after 
the string of <><><><> stuff.


Hmm. You're right. I forgot I've upgraded our "template" IDS to 2.0 but
hadn't pushed it out to the one reporting the FPs...



In fact, presenting that data in that fashion is pretty much what stream4 
should be doing (although I'd argue it should have flushed the data through 
each time your server responded. So it should have appeared as if it were 4 
packets, regardless of the actual number of IP layer packets, which could 
be significantly greater).


I think I've been here before. The problem is that I'm expecting Snort to
"magically" differentiate between:

client: -> "MAIL FROM: xxxxxxxxx"
server: -> "OK"
client: -> "RCPT TO........."

and

client: -> "<ftp-data stream>"
server: -> ACK
client: -> "<ftp-data stream>"
server: -> ACK

...when in fact there is no differences between those two. What I guess I'm
talking about is the need for a whole slew of new preprocessors:
smtp_decode, tls_decode, etc.

So my problem was actually due to some issue in 1.9.1 - running
snortrules-current by the looks of it - whoops.

BTW: the rules download area needs to be updated - no explicit mention of
what rules are for Snort 2.0...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: