Hi Worthy,
Actually this rule contains a ton of false positives. For example a webpage
with the word "form" follows by a space , where space equals %20, will
trigger it. The trick here is to first make sure all your HTTP_SERVERS and
HTTP_PORTS variables are set. From your post it looks like you may have
this done all ready.
Ok now this is where it can get tricky. Make a new variable say
HTTP_SERVERS_GOOD where every server IP in this variable is known to have
security settings and patches to prevent/harden against the exploit of the
vulnerability for sig 1365. (See snort.org for rule details.)
Next we make a huge assumption that you will have to test. We assume that
only web traffic on your network flows on the HTTP_PORTS you have
designated. You will have to test this and either beat some people for
using Peer-to-Peer or glare threatingly at those using none standard ports
for their applications. This will depend on your security polices for your
environment. If more than just web traffic flows on your HTTP_PORTS then
these changes will not work, or not work well.
Now create a copy of the rule (with a new sig #) and replace the
$HTTP_SERVERS with !$HTTP_SERVERS_GOOD. This will allow the rule to trigger
when ever it sees a packet containing the potential exploit travel on your
web ports to a machine that is NOT known to be secure against this exploit.
This way if a new server comes online that you haven't verified the rule
won't miss it. Once you have verified it you can add the IP to the GOOD
variable.
Your mileage will with these changes will depend on your network. I always
recommend turning rules off as an absolute last resort, but sometimes its
inevitable. Most times you can get creative though. Hope this helps or
maybe leads to a different idea that may help you.
Shawn Truax
Sr. Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107
-----Original Message-----
From: Worthy [mailto:listy@home.olsztyn.pl]
Sent: September 23, 2004 6:54 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] False positive for rule 1:1365
Hello,
I found false positive for rule 1:1365
it looks like this:
GET /pphlogger.php?id=[id]&referer=http%3A//www.domain.com.pl/%3F6%26
&r=1024x768&c=32&showme=n&st=js&title=Dystrybucja%20maszyn%20rolniczych
%20firm%20McCormick%2C%20Laverda%2C%20Kverneland%2C%20Manitou%20i%20
HTTP/1.1
this innocent request contain string rm%20
can rule may be changed to avoid such false positives?
or the only solution is to remove that rule?
--
Best regards,
Worthy mailto: listy@home.olsztyn.pl
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
