Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] False postive for SID 2329 - HL/TFC

from [Matthew Watchinski] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] False postive for SID 2329 - HL/TFC
Date: Thu, 21 Dec 2006 14:32:07 -0500 
If you up for playing with some experimental functionality you can do 
the following and see if it makes this false positive go away

If you running 2.6.1.1 you can compile with "--enable-stream4udp"

Then modify your snort.conf with the following

Right after your stream4_reassemble line add the following line

preprocessor stream4_external: enable_udp_sessions,max_udp_sessions 16384

Then modify the rule below by adding

flow:to_server,established

--------------------------------------------------------

Additionally make sure your $HOME_NET and $SQL_SERVERS variables are set 
to something other than "any" if at all possible.

<mileage may vary, driver on closed course, shown with optional parts, 
some accessories required, etc.. etc..>

Cheers,
-matt

Matthew Williams wrote:

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

--
Sid: 2329

--
Summary: A false positive is generated for SID 2329 by normal 
HL(Half-Life)/TFC(Team Fortress Classic) game data traffic.

--
Impact: Serious. Immediate termination of game play to that particular game 
server for the period of the block :(

--
Detailed Information: This is from the /var/log/snortsam log file:
2006/12/19, 21:48:14, 127.0.0.1, 2, snortsam, Blocking host 144.140.155.117 
completely for 86400 seconds (Sig_ID: 2329).

This is from the /var/log/secure log file:
Dec 19 21:48:14 wilber snort[2805]: [1:2329:6] MS-SQL probe response overflow 
attempt [Classification: Attempted User Privilege
Gain] [Priority: 1]: {UDP} 144.140.155.117:27025 -> 220.233.224.217:27005

By default, port 27015 is the default server port for the popular online game 
Half-Life and its mods such as Team Fortress Classic.
By default, port 27005 is the default client port.

This don't trip all the time. Sometimes I can go for hours(like a 5 hour 
gaming session), days or even weeks and not have a false
positive. But sometimes its bad and I can get several false positives within 
a single night.

--
Affected Systems: Team Fortress Classic(a Half-Life mod) confirmed. Half-Life 
and its other mods might also be affected.

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: This SID falsely indentifies the normal gaming traffic of 
the Half-Life mod Team Fortress Classic as an MS-SQL
probe response overflow attempt.

--
False Negatives:

--
Corrective Action: Added the game server IP address to the exempt list.

--
Contributors: Matthew Williams <snort.org@wilber.pointclark.net>



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] False postive for SID 2329 - HL/TFC, Matthew Williams
Next by Date:  Re: [Snort-sigs] Flowbit dependancy issue, Matthew Watchinski
Previous by Thread:  [Snort-sigs] False postive for SID 2329 - HL/TFC, Matthew Williams
Next by Thread:  [Snort-sigs] False positive rule 2544, Klein, Jamy
Indexes:  [Date] [Thread] [Top] [All Lists]