'Re: [Snort-sigs] [Snort-Sigs] 19213 thousands of FP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] [Snort-Sigs] 19213 thousands of FP
From:       JJC <cummingsj () gmail ! com>
Date:       2011-09-27 15:40:42
Message-ID: CAOb75Os0F=8CORqoU3P6u2NPg5X6=Pz110hnwD+7Pog+FbQ1sQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Not withstanding the validity of the F+ nature of the rule, I wanted to take
a quick second to point out a few things here, for the benefit of newer
users on the list etc...

As a matter of IPS best practice and tuning, there will be many valid rules
that will not apply to your infrastructure and that will still alert based
on your traffic.  In this case a simple question should be asked when you
see alerts - "Do I have an IpSwitch IMail Server?", I suspect that the
answer to that will more than likely be no and as such this sid should
simply be disabled.

The second item would simply be to utilize one of the VRT base policies
"balanced, security, or connectivity".  Doing so would have had this rule
disabled by default and thus would not have produced the F+ that is noted.

All of this being said, this rule could use some enhancement and that is
being reviewed now.

JJC

On Tue, Sep 27, 2011 at 9:18 AM, matan monitz <mmonitz@gmail.com> wrote:

> hello
> can someone please explain the logic behind the sig?
> the ?Q? is very very common and there is no minimal length on the sig
> quoting from secunia:
>
> * 2) A boundary error in the List Mailer (imailsrv.exe) can be exploited
> to cause a stack-based buffer overflow via an overly-long string in the
> Subject field following the "?Q?" operator.*
>
> you can't just alert on this operator appearing in the subject! (btw, ill
> be happy if someone can tell me what ?Q? means)
>
> p.s. the pcre should also be removed from the sig
>
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>

[Attachment #5 (text/html)]

Not withstanding the validity of the F+ nature of the rule, I wanted to take a quick \
second to point out a few things here, for the benefit of newer users on the list \
etc...<div><br></div><div>As a matter of IPS best practice and tuning, there will be \
many valid rules that will not apply to your infrastructure and that will still alert \
based on your traffic.  In this case a simple question should be asked when you see \
alerts - &quot;Do I have an IpSwitch IMail Server?&quot;, I suspect that the answer \
to that will more than likely be no and as such this sid should simply be \
disabled.</div> <div><br></div><div>The second item would simply be to utilize one of \
the VRT base policies &quot;balanced, security, or connectivity&quot;.  Doing so \
would have had this rule disabled by default and thus would not have produced the F+ \
that is noted.</div> <div><br></div><div>All of this being said, this rule could use \
some enhancement and that is being reviewed \
now.</div><div><br></div><div>JJC<br><br><div class="gmail_quote">On Tue, Sep 27, \
2011 at 9:18 AM, matan monitz <span dir="ltr">&lt;<a \
href="mailto:mmonitz@gmail.com">mmonitz@gmail.com</a>&gt;</span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;"><div dir="ltr">hello<br>can someone please explain the logic \
behind the sig? <br>the ?Q? is very very common and there is no minimal length on the \
sig<br> quoting from secunia: <br><br><i>
2) A boundary error in the List Mailer (imailsrv.exe) can be exploited 
to cause a stack-based buffer overflow via an <b>overly-long </b>string in the 
Subject field following the &quot;?Q?&quot; operator.</i><br><br>you can&#39;t just \
alert on this operator appearing in the subject! (btw, ill be happy if someone can \
tell me what ?Q? means)<br><br>p.s. the pcre should also be removed from the sig<br>


<br><br></div>
<br>------------------------------------------------------------------------------<br>
 All the data continuously generated in your IT infrastructure contains a<br>
definitive record of customers, application performance, security<br>
threats, fraudulent activity and more. Splunk takes this data and makes<br>
sense of it. Business sense. IT sense. Common sense.<br>
<a href="http://p.sf.net/sfu/splunk-d2dcopy1" \
target="_blank">http://p.sf.net/sfu/splunk-d2dcopy1</a><br>_______________________________________________<br>
 Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
 <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org" target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about \
Snort!<br></blockquote></div><br></div>



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic