Snort mailing list archives
Conflicting sids?
From: sekure <sekure () gmail com>
Date: Mon, 27 Sep 2004 08:31:24 -0400
Question: How does Snort handle two different rules with the same sid? Scenario: I have a few Snort sensors capable of seeing traffic from users on the LAN to the web proxy, and also traffic from the web proxy to external web servers. Consider the recent JPEG heap overflow signature, sid 2705: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENTJPEG parser heap overflow attempt"; flow:from_server,established;content:"image/jp"; nocase;pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi";reference:bugtraq,11173; reference:cve,CAN-2004-0200;reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;classtype:attempted-admin; sid:2705; rev:2;) This rule works fine and I see it firing sometimes (thankfully on False Positives for now) on my external segment (external web -> proxy). I also rewrote this rule for my internal segment, and stuck it in my local rules file, substituting the ip of my proxy for $EXTERNAL_NET, and the proxy port for $HTTP_PORTS. Theoretically, for every attempt to retrieve a JPG I should be seeing two alerts, one as the proxy gets the file from a remote server and one as the user gets it from the proxy. The problem is that I only see it from the external server to the proxy, and NOT on the inside.... Is this because the instance of snort running internally sees two rules with the sid of 2705 (one in web-clients.rules, as above and one in local.rules, modified), or am I missing something else? Thanks.. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Conflicting sids? sekure (Sep 27)