Snort mailing list archives
SID 23115 appears to be triggering to soon with 2.9.1.2 SNORT using latest rules
From: Robert Cotter <Robert.Cotter () endace com>
Date: Tue, 26 Jun 2012 05:08:28 +0000
Looking at a pcap of the traffic between the server and client there was only 1 login attempts in the last 15 seconds before the trigger, and that login triggered the alert. I read the rule as being tailored to track login attempts per source client IP to the server over the last 5 seconds. Correct?? Is there a problem with the rule ? alert tcp any any -> $SQL_SERVERS 3306 ( msg:"SQL MySQL/MariaDB client authentication bypass attempt";flow:to_server,established;content:"|00 00 01|";depth:3;offset:1;fast_pattern;content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";within:23;distance:9;pcre:"/^\w+\x00/iRm";detection_filter:track by_src,count 100, seconds 5;metadata:policy balanced-ips drop, policy security-ips drop, service mysql;reference:cve,2012-2122;classtype:attempted-admin;sid:23115;rev:2; ) Regards -- Robert Cotter -- Robert Cotter Sales Engineer APAC - Endace robert.cotter () endace com <mailto:robert.cotter () endace com> DDI: +64 9 926 2931 Mob: +64 21 675 550 www.endace.com;<http://www.endace.com/> LinkedIn;<http://www.linkedin.com/companies/endace> follow us on Twitter<http://twitter.com/endace> power to see all This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn't addressed to you, you mustn't use, distribute or copy any part of it. If you've received it in error please delete it (along with any attachments) and inform us of the error. Emails aren't secure and can't be guaranteed to be error free as they can be intercepted, amended, lost or destroyed. It's your responsibility to check this email and any attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID 23115 appears to be triggering to soon with 2.9.1.2 SNORT using latest rules Robert Cotter (Jun 25)