OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Fun with false alarms
From: Martin Roesch (roeschhiverworld.com)
Date: Mon Mar 13 2000 - 16:48:51 CST

These rules should really be trying to "localize" the exploit content a
bit better using the "depth" and "offset" keywords, perhaps multiple
content strings as well. Additionally, if you aren't protecting any
servers that are vulnerable to these types of attacks, it's probably
prudent to remove the rules altogether.

You could also localize them by incuding the full URL that institutes
the attack (but of course, then you'd have to have multiple rules to
cover a single attack to catch things like "HEAD"s instead of "GET"s)

This type of problem is a big issue in "Snort-like" programs. You just
have to be smart about what you match on and include in your rules
set....

Stuart Staniford-Chen wrote:
>
> The lack of application layer reconstruction in snort can hurt. For
> example, today I tracked down a number of instances of this alert.
>
> alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:,
> "IDS248/web-frontpage-pws-fourdots"; content: "....";,
> flags: AP;)
>
> If you check out Max's page at http://whitehats.com/IDS/248 (thanks so
> much for doing that Max!) you'll see that the intent is to catch people
> trying to cd their way out of where they are supposed to be when
> browsing a Frontpage created site to access files they shouldn't have
> access to. Thus the idea of the signature is to look for URLs
> containing "...." immediately after the HTTP method (ie the requested
> URL). *However*, the signature actually looks for it anywhere in the
> packet.
>
> False alarms on this signature I have analyzed today fall into two
> categories:
>
> Cookies sometimes contain "...." for some reason and this shows up.
>
> People writing email to a web based email server application
> surprisingly often type "...." in the course of writing their message.
> This causes that part of the message to show up in the IDS logs (which
> is a very bad thing - I really really don't want to look at innocent
> people's email while trying to detect intrusions).
>
> I'm not picking on this particular signature (or Max) - similar issues
> affect a number of them.
>
> Another good one is this from Rapidnet:
>
> alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-JJ CGI access
> attempt";flags:PA; content:"/jj";)
>
> It's really quite easy to have a legitimate web page with "/jj" in the
> URL! Try entering it into a search engine. Folks with names like "John
> Jones" often go by the initials "jj".
>
> Stuart.
>
> --
> Stuart Staniford-Chen --- President --- Silicon Defense
> stuartsilicondefense.com
> (707) 822-4588 (707) 826-7571 (FAX) 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment