Forums

kfox
kfox
Offline
Resolved
0 votes
I have a number of ClearOS/CC servers and VMs in the wild and often found myself removing the same false-positive generating snort rules over and over. This week I decided to be proactive and start compiling a list of what could be considered bad snort rules (poorly implemented is probably a better description) in general.That list is available here and I'll be making updates to it as data accumulates.

Please share with all of us in this thread your frequent false positives and why you think they happen. I've never felt that it was "good enough" to let the IPS roll for a day in each environment to determine which rules need to be disabled. I think if we put together a comprehensive list that dulls snort's teeth those of us dealing with downtime-sensitive environments can breathe a little easier when deploying a new ClearOS host.

Cheers folks!
Sunday, June 06 2010, 02:39 PM
Share this post:
Responses (8)
  • Accepted Answer

    kfox
    kfox
    Offline
    Wednesday, June 09 2010, 11:09 AM - #Permalink
    Resolved
    0 votes
    Cool, thanks for the insight Tim.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 08 2010, 10:20 PM - #Permalink
    Resolved
    0 votes
    I believe the 1000000000-series rules are from the old 'community rule set' provided by snort. You use to get the snort certified rules and then all the community add-ons (there use to be lots from my days of messing around with Oinkmaster), but as Peter stated above they (ClearOS) now pick and choose their own rules
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 07 2010, 05:51 PM - #Permalink
    Resolved
    0 votes
    Not at the moment -- thanks for the offer!
    The reply is currently minimized Show
  • Accepted Answer

    kfox
    kfox
    Offline
    Monday, June 07 2010, 03:23 PM - #Permalink
    Resolved
    0 votes
    Anything I could do to help?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 07 2010, 02:40 PM - #Permalink
    Resolved
    0 votes
    Hi kfox,

    We basically forked the Snort rules when SourceFire closed their rulesets many years ago. The $500 annual subscription is just a wee bit pricey for small organizations and we decided to manage the rules differently. The rules are now maintained by a 3rd party consulting firm and mostly come from Emerging Threats and other various online resources.

    We started to pull together a database for all these rules (inspired by Tim's bug report), but the time commitment was more than anticipated. No worries, it will get done relatively soon since it's a high priority item.
    The reply is currently minimized Show
  • Accepted Answer

    kfox
    kfox
    Offline
    Monday, June 07 2010, 01:13 AM - #Permalink
    Resolved
    0 votes
    I'm having a hard time figuring out where the 1000000000-series rules come from, I'm guessing they're extra odds and ends the developers put into ClearOS?
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, June 06 2010, 09:31 PM - #Permalink
    Resolved
    0 votes
    Good idea :)

    These are known to cause issues with Gallery2 (part of the web PHP rulesets)
    web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_itemId access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_itemId|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000211; rev:2; fwsam: src, 1 day;)
    web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_return access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_return|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000212; rev:2; fwsam: src, 1 day;)
    web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_view access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_view|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000213; rev:2; fwsam: src, 1 day;)
    web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_subView access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_subView|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000214; rev:2; fwsam: src, 1 day;)


    CCforums reference
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, June 06 2010, 03:17 PM - #Permalink
    Resolved
    0 votes
    Very nice kfox! I'll keep an eye on it.
    The reply is currently minimized Show
Your Reply