Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Conflicting sids?

From: sekure <sekure () gmail com>
Date: Mon, 27 Sep 2004 08:31:24 -0400
Question: How does Snort handle two different rules with the same sid?

Scenario:  I have a few Snort sensors capable of seeing traffic from
users on the LAN to the web proxy, and also traffic from the web proxy
to external web servers.

Consider the recent JPEG heap overflow signature, sid 2705: alert tcp
$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENTJPEG parser
heap overflow attempt";
flow:from_server,established;content:"image/jp";
nocase;pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi";reference:bugtraq,11173;
reference:cve,CAN-2004-0200;reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;classtype:attempted-admin;
sid:2705; rev:2;)

This rule works fine and I see it firing sometimes (thankfully on
False Positives for now) on my external segment (external web ->
proxy).  I also rewrote this rule for my internal segment, and stuck
it in my local rules file, substituting the ip of my proxy for
$EXTERNAL_NET, and the proxy port for $HTTP_PORTS.  Theoretically, for
every attempt to retrieve a JPG I should be seeing two alerts, one as
the proxy gets the file from a remote server and one as the user gets
it from the proxy.

The problem is that I only see it from the external server to the
proxy, and NOT on the inside....  Is this because the instance of
snort running internally sees two rules with the sid of 2705 (one in
web-clients.rules, as above and one in local.rules, modified), or am I
missing something else?

Thanks..


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: