Re: false positive rules in snort 2.8.6.0

[Will Metcalf <william.metcalf () gmail com>]

Ummmm so what is happening is that these rules are written to
fingerprint a protocol.  If I remember correctly dropping the traffic
identified by these sigs isn't enough to cripple e-mule.  Detection !=
Prevention...  Another example.. fire up a sniffer and and use a tcp
session splicing attack in InlineMode() against a target...  By the
time snort does reassembly the packets have already gone across the
wire.

Regards,

Will

On Fri, Jun 4, 2010 at 3:10 PM, Joel Esler <jesler () sourcefire com> wrote:
> Okay, so you aren't saying they are falsing, you are saying that the rules
> aren't dropping the traffic?
>
> On Jun 4, 2010, at 4:00 PM, Lawrence R. Hughes, Sr. wrote:
>
> Joel,
>
> Thanks for the quick reply...
>
> Although they are drop rules, the clients in both cases connect, allow
> searches and downloads.
>
> We do not use pcap, we thought that snort's coverage was enough.
>
> Our main concern is about the RIAA...
>
> Thanks,
> Larry
>
>
> ----- Original Message -----
> From: Joel Esler
> To: Lawrence R. Hughes, Sr.
> Sent: Friday, June 04, 2010 3:55 PM
> Subject: Re: [Snort-users] false positive rules in snort 2.8.6.0
> What are they falsing on?  Do you have a pcap?
> J
> On Jun 4, 2010, at 3:50 PM, Lawrence R. Hughes, Sr. wrote:
>
> Hi All,
>
> The following two (2) rules in p2p.rules are false positives... Be aware of
> the RIAA
>
> drop tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server
> response"
>  flow:established,from_server; content:"Server|3A| eMule";
>  fast_pattern:only; metadata:policy security-ips drop;
>  reference:url,www.emule-project.net; classtype:policy-violation;
>  sid:2587; rev:4;)
> drop udp $HOME_NET any -> $EXTERNAL_NET 41170
> (msg:"P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|";
>  depth:4; offset:16; metadata:policy security-ips drop;
>  reference:url,openlito.sourceforge.net; reference:url,www.blubster.com;
>  classtype:policy-violation; sid:3459; rev:5;)
>
>
> Thanks,
> Larry
>
>
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> 302-223-5974
> Jabber: jesler () sourcefire com
>
>
> --
> Joel Esler
> 302-223-5974
> Jabber: jesler () sourcefire com
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users