i've got to fix this subscribed address problem. sry for the resend.
Jason Brvenik wrote:
Matt Jonkman wrote:
Brian Caswell wrote:
Why write 9 extra rules when a tag on this 1 rule will accomplish the
same thing and provide even more "useful" data.
Accuracy and load were my thoughts. Since it's 1024: for ports I want to
make sure that the minimum matching is being done on all that traffic.
It's quite conceivable that benign traffic on high ports could start
with a 220.
This way we have a nearly foolproof chain of events before we get a hit.
No falses in theory... and low load.
more rules == more work in every case.
The rule
alert tcp any 1024: -> $HOME_NET 1024: (msg:"BLEEDING-EDGE \
ATTACK_RESPONSE Off-Port FTP Without Banners - 220"; \
flow:established,to_server; dsize:6; content:"220 |0d 0a|"; offset:0; \
depth:6; flowbits:noalert; flowbits:set,ET.strippedftp220; \
sid: 2007714; rev:1;)
has inherent overhead, adding rules on top of it doesn't help
performance. Qualifying with additional rules might help false positives
but packets *to server* are unlikely to fire in this chain anyway...
basically a client sending 220 \r\n only is probably rare unless
intentional.
If you want to post qualify events check out my latest SnortUnified.pm
with support for qualifiers :)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
