Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 2.1.3 Multiple events/packet

From: sekure <sekure () gmail com>
Date: Wed, 16 Jun 2004 11:48:13 -0400
Bump....

Is this not an issue for anyone or is everyone in on something I am
oblivious to?  I guess if I don't get any responses I'll just let it
drop.

On Mon, 14 Jun 2004 08:54:35 -0400, sekure <sekure () gmail com> wrote:


Now that 2.1.3 has been out for a while, and people have seen the new
functionality of alerting/logging multiple events per packet, what do
you think and how are you dealing with it?

On the surface it seems a good idea, but a lot of packets are
generating multiple alerts, usually once on a generic signature and
then once on a more specific.  For example, a simple directory
traversal:

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E   255c%255c../winn
020 : 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65   t/system32/cmd.e
030 : 78 65 3F 2F 63 2B 64 69 72 0D 0A                  xe?/c+dir..

This will generate two alerts, 1113 "WEB-MISC http directory
traversal", and 1002 "WEB-IIS cmd.exe access".  This particular set of
alerts also has an interesting distinction of having different
priority/severity ratings: event 1113 is attempted-recon, priority of
2 and 1002 is web-application attack, priority of 1.

This isn't a unique case either.  I often see 2050 "MS-SQL version
overflow attempt" and 2003 "MS-SQL Worm propagation attempt" together,
538 "NETBIOS SMB IPC$ share unicode access" and 2470 "NETBIOS SMB C$
share unicode access" and a bunch of others.  Is it a worthwhile
effort to document these alerts and hopefully tune the signatures to
deal with it?

I understand the benefit of logging multiple events per packet when it
really is two different alerts/events, but when the alert is the same,
it's counterproductive.  How is everyone dealing with this?




-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: