Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] sid: 1792 - errors, false positive and false negatives

from [Fabio Panigatti - Minerva spa] Network Security [Permanent Link]
Subject: [Snort-sigs] sid: 1792 - errors, false positive and false negatives
Date: Tue, 6 Sep 2005 16:31:47 +0200 
Errors
------
The "flow" directive should be "to_client" instead of "to_server".

false positives
---------------
The rule with the right flow directive raises a lot of fp.

Here is an example of one harmless real-world frame triggering the
alert when the "to_client" flow directive is set:

01/31-16:16:34.810247 193.70.192.192:119 -> 151.36.98.221:4289
TCP TTL:249 TOS:0x38 ID:1661 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xF77616B6  Ack: 0x902745A6  Win: 0x86C4  TcpLen: 20
32 30 30 20 57 65 6C 63 6F 6D 65 20 74 6F 20 4E  200 Welcome to N
65 74 32 34 20 56 65 72 64 65 41 64 73 6C 20 49  et24 VerdeAdsl I
6E 66 6F 73 74 72 61 64 61 20 6E 65 77 73 20 73  nfostrada news s
65 72 76 65 72 20 28 54 77 69 73 74 65 72 20 76  erver (Twister v
31 2E 32 2E 30 29 0D 0A                          1.2.0)..

false negatives
---------------
The mnews vulnerability can be exploited even when the nntp server
puts an arbitrary number of spaces or zeroes before the "200" code
or an arbitrary number of leading chars right after the "200" code
(not spaces). For all this, the actual pcre match "^200\s{}" could
lead to false negatives, because strings like "  00200 <nop sled +
shellcode>" or "200ABCD <nop sled + shellcode>" are also effective
in order to exploit the vulnerability.

Some questions
--------------
Why the "i" pcre modifier in the current rule?
Why not restrict the "content:" with "depth:" in the current rule?
Is it more expensive than a simple "content:"200";"?


Fabio


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] sid: 1792 - errors, false positive and false negatives, Fabio Panigatti - Minerva spa <=
Previous by Date:  [Snort-sigs] Sid: 1917 triggered by MSN messenger, Adrian Chitoni
Next by Date:  [Snort-sigs] Fwd: pcre in sid 3550, James Affeld
Previous by Thread:  [Snort-sigs] Sid: 1917 triggered by MSN messenger, Adrian Chitoni
Next by Thread:  [Snort-sigs] (snort decoder) Bad Traffic Same Src/Dst IP {trying to supress alerts from certain IP's}, Mike Kelley
Indexes:  [Date] [Thread] [Top] [All Lists]