[Emerging-Sigs] False positives due to poor port choices

Frank Knobbe frank at knobbe.us
Fri Jan 2 20:57:34 EST 2009


On Fri, 2009-01-02 at 16:43 -0500, ANDREW J WOOD wrote:
> There are many rules with "1024: -> any" and "any -> 1024:"

Well, of course, since those signatures fire on traffic that is destined
for a high port.

The reason that the source port (dynamic) is at "any" instead of "1024:"
is so that we don't miss alerts when NAT devices change the source port
to something below 1024. That happens often enough. Assuming that
dynamic ports always start at 1024 is wrong :)

If there are a lot of FP with sigs on FTP data sessions, when I suggest
just changing that signature to use a source port of "!20".

Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090102/5c0cde66/attachment.bin


More information about the Emerging-sigs mailing list