Re: [Snort-sigs] False positive sid:498

On Thu, 2005-03-24 at 10:31 -0600, Paul Schmehl wrote:
> This might come as a shock to some, but at a university the security folks 
> are not the *only* people who read lists like Bugtraq or (horror of 
> horrors) go to websites that explain exploits, including code that sets off 
> alerts in snort.

Howdy Paul,

good call, I didn't consider general email. However, I do not believe
changing rules to use port !25 is a solution.

Instead, why don't you tune the IDS by suppressing on certain IPs, such
as the Bugtraq mail servers, Security Focus portal etc. That way at
least you still get alerts when someone spawns a remote shell over port
25.

It is hard to distinguish between uid:0 or a shall prompt in email, web
traffic or a real remote shell. You really need to look at context (but
you know that, so I'm not gonna "explain" that to you ;)

Messing with ports lowers the accuracy of a rule. Once you start with !
25, you might end up with !20:1024 (to cover POP3, IMAP, FTP, Web, etc
etc). So you rule becomes less and less effective.

Instead, increase accuracy of FP detection by adding all those known
good FP sources to suppression rules. Once you do that, you get less FP,
but are still able to catch the remote shells that use source port 20
and stuff like that.

Let me know if this is the sort of reasoning or discussion you except
and I'll continue to be verbal like that. ;)

Cheers,
Frank

signature.asc
Description: This is a digitally signed message part