[Dshield] Rating Attackers

John Sage jsage at finchhaven.com
Fri Aug 2 13:22:37 GMT 2002


Johannes:

On Fri, Aug 02, 2002 at 07:38:30AM -0400, Johannes Ullrich wrote:
> 
> > Not to pick, but that web page sets off snort, big time. Freaked the
> > sh*t out of me until I figured what was going on, since I first saw
> > the alert out on my firewall box, and the destination port says that
> > the packet contents were getting through into one of my interior
> > boxes...
> 
> the art of tuning snort rules. Look at the newer version of snort that
> can actually filter by the 'direction' of the packet. We get this a lot
> for incidents.org, as there are tons of pages with 'signatures' on them.

ah..

This would have been the stock rulesets with snort 1.8.7


alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned
root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)


So it's the "any any" "any any" that's the problem.

Would this exploit be more expected to be outbound from a compromised
server?

So I should have "$HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any" --
which is in fact how most of the other attack-responses.rules are
written..


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list