Snort mailing list archives
2.1.3 Multiple events/packet
From: sekure <sekure () gmail com>
Date: Mon, 14 Jun 2004 08:54:35 -0400
Now that 2.1.3 has been out for a while, and people have seen the new functionality of alerting/logging multiple events per packet, what do you think and how are you dealing with it? On the surface it seems a good idea, but a lot of packets are generating multiple alerts, usually once on a generic signature and then once on a more specific. For example, a simple directory traversal: 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn 020 : 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e 030 : 78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir.. This will generate two alerts, 1113 "WEB-MISC http directory traversal", and 1002 "WEB-IIS cmd.exe access". This particular set of alerts also has an interesting distinction of having different priority/severity ratings: event 1113 is attempted-recon, priority of 2 and 1002 is web-application attack, priority of 1. This isn't a unique case either. I often see 2050 "MS-SQL version overflow attempt" and 2003 "MS-SQL Worm propagation attempt" together, 538 "NETBIOS SMB IPC$ share unicode access" and 2470 "NETBIOS SMB C$ share unicode access" and a bunch of others. Is it a worthwhile effort to document these alerts and hopefully tune the signatures to deal with it? I understand the benefit of logging multiple events per packet when it really is two different alerts/events, but when the alert is the same, it's counterproductive. How is everyone dealing with this? ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.1.3 Multiple events/packet sekure (Jun 14)
- Re: 2.1.3 Multiple events/packet sekure (Jun 16)