Re: MSSQL False Neg

["Bill Scherr IV" <bschnzl () cotse net>]

Matt...

> From a # snort -c <file> -T 2>&1 | less
gen-id=1 _ sig-id=3543 _ type=Threshold _ tracking=src _ count=5 _ seconds=2

So the thresholding is set.  That seems a bit tight.  This guy passes one packet every 2.25 seconds. 
IMHO, that passes for a brute force attempt. Granted this service should not be subjected to one of 
these attacks, but 2 to 3 attempts per second is kind of heavy.

I shifted the threshold to 1800 seconds on my sensors.

Thanks for your very well explained effort.  

B.  

Circa 19:14, 1 Dec 2009, a note, claiming source Matt Olney <molney () sourcefire com>, was sent to 
me:

Date sent:              Tue, 1 Dec 2009 19:14:57 -0500
Subject:                Re: [Snort-sigs] MSSQL False Neg
From:                   Matt Olney <molney () sourcefire com>
To:                     Nigel Houghton <nhoughton () sourcefire com>
Copies to:              bschnzl () cotse net, snort-sigs () lists sourceforge net

> The rule seems to be correct, I'm thinking there is a thresholding
> issue somewhere.  Looking at it, it looks like it should alert if you
> see 5 packets in a 2 second period that match this rule.  If you want
> to check the non-thresholding portion of the rule, try the following
> local rule:


Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr () iit-tek com
bscherr () ewa com
703-478-7608


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs