Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SID 23115 appears to be triggering to soon with 2.9.1.2 SNORT using latest rules

From: Robert Cotter <Robert.Cotter () endace com>
Date: Tue, 26 Jun 2012 05:08:28 +0000
Looking at a pcap of the traffic between the server and client  there was only 1 login attempts in the last 15 seconds 
before the trigger, and that login triggered the alert.

I read the rule as being tailored to track login attempts per source client IP to the server over the last 5 seconds. 
Correct??

Is there a problem with the rule ?

alert tcp any any -> $SQL_SERVERS 3306 ( msg:"SQL MySQL/MariaDB client authentication bypass 
attempt";flow:to_server,established;content:"|00 00 01|";depth:3;offset:1;fast_pattern;content:"|00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";within:23;distance:9;pcre:"/^\w+\x00/iRm";detection_filter:track 
by_src,count 100, seconds 5;metadata:policy balanced-ips drop, policy security-ips drop, service 
mysql;reference:cve,2012-2122;classtype:attempted-admin;sid:23115;rev:2; )

Regards

--
Robert Cotter



--
Robert Cotter
Sales Engineer APAC - Endace

robert.cotter () endace com <mailto:robert.cotter () endace com>
DDI: +64 9 926 2931   Mob: +64 21 675 550
www.endace.com;<http://www.endace.com/> LinkedIn;<http://www.linkedin.com/companies/endace> follow us on 
Twitter<http://twitter.com/endace>

power to see all

This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn't 
addressed to you, you mustn't use, distribute or copy any part of it. If you've received it in error please delete it 
(along with any attachments) and inform us of the error. Emails aren't secure and can't be guaranteed to be error free 
as they can be intercepted, amended, lost or destroyed. It's your responsibility to check this email and any 
attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: