Snort mailing list archives
Re: 2.1.3 Multiple events/packet
From: sekure <sekure () gmail com>
Date: Wed, 16 Jun 2004 11:48:13 -0400
Bump.... Is this not an issue for anyone or is everyone in on something I am oblivious to? I guess if I don't get any responses I'll just let it drop. On Mon, 14 Jun 2004 08:54:35 -0400, sekure <sekure () gmail com> wrote:
Now that 2.1.3 has been out for a while, and people have seen the new functionality of alerting/logging multiple events per packet, what do you think and how are you dealing with it? On the surface it seems a good idea, but a lot of packets are generating multiple alerts, usually once on a generic signature and then once on a more specific. For example, a simple directory traversal: 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn 020 : 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e 030 : 78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir.. This will generate two alerts, 1113 "WEB-MISC http directory traversal", and 1002 "WEB-IIS cmd.exe access". This particular set of alerts also has an interesting distinction of having different priority/severity ratings: event 1113 is attempted-recon, priority of 2 and 1002 is web-application attack, priority of 1. This isn't a unique case either. I often see 2050 "MS-SQL version overflow attempt" and 2003 "MS-SQL Worm propagation attempt" together, 538 "NETBIOS SMB IPC$ share unicode access" and 2470 "NETBIOS SMB C$ share unicode access" and a bunch of others. Is it a worthwhile effort to document these alerts and hopefully tune the signatures to deal with it? I understand the benefit of logging multiple events per packet when it really is two different alerts/events, but when the alert is the same, it's counterproductive. How is everyone dealing with this?
------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.1.3 Multiple events/packet sekure (Jun 14)
- Re: 2.1.3 Multiple events/packet sekure (Jun 16)