Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27
From: Joel Esler <jesler () cisco com>
Date: Wed, 28 Jan 2015 14:02:09 -0500
On Wed, Jan 28, 2015 at 10:54:36AM -0800, Benjamin Small wrote:
I'm saying your exact match is a substring of a popular user agent, not that it would match legit user agents. If the match was "UserAgent: PwnYerBox", then I would totally understand. In that case, as I review the signature definition I'm about to apply to all my clients as a high priority drop rule, I'm going to feel comfortable. In the case that the UserAgent is "Mozilla/5.0", in a world where it takes one line of python/perl/ruby to send a legit web request, I might be a bit more careful. If your reviewers see that and think "Yea, that's not going to be false positive"... then I'm not sure what to say... Now that that's said, back to cleaning the thousands of false positives out of my SIEM.
You shouldn't have a single match of "Mozilla/5.0 <anything after it>" from a legit browser, anywhere in your thousands of false positives in your SIEM. Also, some samples of those would help us to isolate the software that is using this non-browser based User-Agent. You are right though, a single line of any of those languages can construct a legit web request, however, I can also set my malware to send a totally legit User-Agent string that IE uses and completely bypass this type of detection. However, when it comes to malware, we'll use any tools at our disposal to catch the malware with as few (read: zero) false positives as possible. False positives do happen, but the best thing you can do is report them to us with a pcap exhibiting the behavior so we can fix the issue. Heck, sometimes its as simple as (in Jeff's case) content:!"Amazon"; http_header; or something. We perform extensive testing on our ruleset before shipping, and we absolutely RAIL on each other when someone does something stupid with a rule. However, our test cases and live systems can't test every application, piece of malware, and network protocol in existance. Impossible. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27, (continued)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Dalton, Gerry (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Alex McDonnell (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jamie Riden (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Mike Hale (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)