7-21-05
FYI...
The following rule triggers hundreds of false positives:
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"EXPLOIT SIP UDP CSeq
overflow attempt";
content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16;
reference:url,www.ethereal.com/news/item_20050504_01.html;
classtype:attempted-dos; sid:3677;
rev:2;)
The reference tends to suggest the rule was intended to identify a
buffer overflow associated with Ethereal v0.10.0 through v0.10.10 (a
packet sniffer).
However for anyone using Voice over IP, a standard/stock Cisco SIP
phone generates a sip packet every ten minutes that triggers the rule.
In large organizations using VoIP, the rule will fire by the hundreds.
Proposal:
1. either add the keyword "ethereal" in the msg (to avoid confusion
with other sip overflow attempts, or,
2. tune the rule to be more specific to the ethereal problem, or,
3. delete the rule entirely since it has very little real value to
any organization and only serves to inflat the number of rules in snort.
In the real world, the chances of anyone running a vulnerable ethereal
instance on a production Internet-accessible box that would be actually
impacted by someone attempting to take advantage of the issue is either
slim or totally non-existant. References suggest that no such attempts
have been seen in the wild (and are not likely to see any). Therefore,
I'd suggest removing it from the rules totally.
Rich
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
