[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] False negatives on "ATTACK-RESPONSES id check
From: Jon Hart <jhart () spoofed ! org>
Date: 2007-04-16 15:00:20
Message-ID: 20070416150020.GU26404 () spoofed ! org
[Download RAW message or body]
On Mon, Apr 16, 2007 at 12:40:27PM +0200, Cees wrote:
> Some additional information:
>
> Version of snort used: 2.6.1.2
> Snort.conf configuration:
> var HOME_NET [192.168.247.133/32]
> var EXTERNAL_NET !$HOME_NET
> [..]
> Preprocessors: frag3, stream4, http_inspect
>
> Command-line options when starting snort:
> snort -u snort -r uid.pcap -l log/ -c snort.conf
>
> Operating system used: Gentoo linux
>
> Attached a sample PCAP file. A client (192.168.247.129) retrieves a website
> from the server (192.168.247.133) with the string "uid=33(www-data)
> gid=33(www-data) groups=33(www-data)".
I seem to recall discussion about this rule and its potential for
false-negatives sometime in the past. The further you crank out
'within', the greater the chance of a false-positive. There is
definitely room for improvement, IMO, as uid and gid combinations that
are greather than 9 characters in length are quite common.
Why not pcre for this rule? 'pcre:/uid=\d+\S+\s+gid=\d+\S+'?
-jon
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic