Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27

From: Joel Esler <jesler () cisco com>
Date: Wed, 28 Jan 2015 14:02:09 -0500
On Wed, Jan 28, 2015 at 10:54:36AM -0800, Benjamin Small wrote:

  I'm saying your exact match is a substring of a popular user agent, not
  that it would match legit user agents. If the match was "UserAgent:
  PwnYerBox", then I would totally understand. In that case, as I review the
  signature definition I'm about to apply to all my clients as a high
  priority drop rule, I'm going to feel comfortable.
  In the case that the UserAgent is "Mozilla/5.0", in a world where it takes
  one line of python/perl/ruby to send a legit web request, I might be a bit
  more careful. If your reviewers see that and think "Yea, that's not going
  to be false positive"... then I'm not sure what to say...
  Now that that's said, back to cleaning the thousands of false positives
  out of my SIEM.



You shouldn't have a single match of "Mozilla/5.0 <anything after it>" from a legit browser, anywhere in your thousands 
of false positives in your SIEM.  Also, some samples of those would help us to isolate the software that is using this 
non-browser based User-Agent.

You are right though, a single line of any of those languages can construct a legit web request, however, I can also 
set my malware to send a totally legit User-Agent string that IE uses and completely bypass this type of detection.  
However, when it comes to malware, we'll use any tools at our disposal to catch the malware with as few (read: zero) 
false positives as possible.

False positives do happen, but the best thing you can do is report them to us with a pcap exhibiting the behavior so we 
can fix the issue.  Heck, sometimes its as simple as (in Jeff's case) content:!"Amazon"; http_header; or something.  We 
perform extensive testing on our ruleset before shipping, and we absolutely RAIL on each other when someone does 
something stupid with a rule.  However, our test cases and live systems can't test every application, piece of malware, 
and network protocol in existance.  Impossible. 



--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: