[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] False negatives on "ATTACK-RESPONSES id check
From: Cees <celzinga () gmail ! com>
Date: 2007-05-04 7:45:09
Message-ID: 3025b5600705040045g184494f2if63f208f08f1754 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Looks good to me!
On 4/16/07, Jon Hart <jhart@spoofed.org> wrote:
>
> On Mon, Apr 16, 2007 at 12:40:27PM +0200, Cees wrote:
> > Some additional information:
> >
> > Version of snort used: 2.6.1.2
> > Snort.conf configuration:
> > var HOME_NET [192.168.247.133/32]
> > var EXTERNAL_NET !$HOME_NET
> > [..]
> > Preprocessors: frag3, stream4, http_inspect
> >
> > Command-line options when starting snort:
> > snort -u snort -r uid.pcap -l log/ -c snort.conf
> >
> > Operating system used: Gentoo linux
> >
> > Attached a sample PCAP file. A client (192.168.247.129) retrieves a
> website
> > from the server (192.168.247.133) with the string "uid=33(www-data)
> > gid=33(www-data) groups=33(www-data)".
>
> I seem to recall discussion about this rule and its potential for
> false-negatives sometime in the past. The further you crank out
> 'within', the greater the chance of a false-positive. There is
> definitely room for improvement, IMO, as uid and gid combinations that
> are greather than 9 characters in length are quite common.
>
> Why not pcre for this rule? 'pcre:/uid=\d+\S+\s+gid=\d+\S+'?
>
> -jon
>
[Attachment #5 (text/html)]
<br>Looks good to me!<br><br><div><span class="gmail_quote">On 4/16/07, <b \
class="gmail_sendername">Jon Hart</b> <<a \
href="mailto:jhart@spoofed.org">jhart@spoofed.org</a>> wrote:</span><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;"> On Mon, Apr 16, 2007 at 12:40:27PM +0200, Cees \
wrote:<br>> Some additional information:<br>><br>> Version of snort used: <a \
href="http://2.6.1.2">2.6.1.2</a><br>> Snort.conf configuration:<br>> var \
HOME_NET [ <a href="http://192.168.247.133/32">192.168.247.133/32</a>]<br>> var \
EXTERNAL_NET !$HOME_NET<br>> [..]<br>> Preprocessors: frag3, stream4, \
http_inspect<br>><br>> Command-line options when starting snort:<br> > snort \
-u snort -r uid.pcap -l log/ -c snort.conf<br>><br>> Operating system used: \
Gentoo linux<br>><br>> Attached a sample PCAP file. A client (<a \
href="http://192.168.247.129">192.168.247.129</a>) retrieves a website <br>> from \
the server (<a href="http://192.168.247.133">192.168.247.133</a>) with the string \
"uid=33(www-data)<br>> gid=33(www-data) groups=33(www-data)".<br><br>I \
seem to recall discussion about this rule and its potential for <br>false-negatives \
sometime in the past. The further you crank out<br>'within', the \
greater the chance of a false-positive. There is<br>definitely room for \
improvement, IMO, as uid and gid combinations that<br> are greather than 9 characters \
in length are quite common.<br><br>Why not pcre for this \
rule? 'pcre:/uid=\d+\S+\s+gid=\d+\S+'?<br><br>-jon<br></blockquote></div><br>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic