Study sets, textbooks, questions
Upgrade to remove ads
Snort False Positive and Negative
Terms in this set (12)
a situation where Snort generates an alert in the absence of a threat, malicious code or an attack.
What is false positive?
a situation where Snort doesn't trigger an alert in the presence of a threat or an attack.
What is false negative?
True or False?
False negatives are riskier than false positives.
Use a pass rule.
If a packet matches a pass rule, Snort will stop looking at similar packets any further.
This will ignore any traffic from myserver & might generate false negative!!
pass tcp myserver any -> any any
What is one way of avoiding too many false positives?
alert traffic with the content PASS. It is too general and may result in false positives.
What is the result of this alert
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format attempt"; content:"PASS";)
The first rule is too general and generates more false positives. Therefore, b) is preferred as it involves additional strings in its signature.
Which alert is more specific, resulting in fewer false positives?
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format attempt"; content:"PASS";)
b) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; content:"PASS ddd@|0A|";)
enables your rule to add an alert classification (such as trojan-activity or policy-violation)
can have multiple instances in a single rule, can be added pointing at a CVE reference, a URL, or anything else that can help identify the alert further.
Added to rules, useful for filtering alerts (0-4).
Common Vulnerabilities and Exposures (CVE)
dictionary of publicly known information security vulnerabilities & Exposure.
1. Snort reports alerts, observe if rule is matched
2. Is the alert valid or it is false-positive?
3. If the alert is valid, we have to find out the severity of the alert
4. Decide what to do about it as an analyst
What are 4 common/general steps for analyzing alerts using Snort?
Analysis: Inspecting the 4-tuple the alert is coming from a host with a private IP address and targeting a secure web server listening on port 443 using SSL/TLS. Securing this web server is critical. The control non-printable characters 01 and 08 are used to cause an effect when script based payloads are added to a packet. Looking at CVE reference, this attack uses Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 with Service packs, and Server 2003 . This attack allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. In the same way, looking at the security focus cross reference, the attack is described as a remotely exploitable stack-based buffer overrun via the PCT protocol. Security Focus adds also that successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in a full system compromise.
The severity is high as the system under attack is a server compromising the SSL encryption.and what to do about?
] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [
][Classification: Attempted Administrator Privilege Gain] [Priority: 1]10/01-11:41:15.686722 192.168.1.15:22603 -> 184.108.40.206:443TCP TTL:64 TOS:0x0 ID:29026 IpLen:20 DgmLen:493 DF
** Seq: 0xD8C5CB22 Ack: 0x615E19C2 Win: 0x3EA TcpLen: 32TCP Options (3) => NOP NOP TS: 726588750 604292725[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref => http://www.securityfocus.com/bid/10116]
] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [
][Classification: Web Application Attack] [Priority: 1]10/01-12:15:16.656177 192.168.1.5:51441 -> 220.127.116.11:80TCP TTL:64 TOS:0x0 ID:31584 IpLen:20 DgmLen:1500 DF
*** Seq: 0xD42806D6 Ack: 0x4EAD6213 Win: 0xFFFF TcpLen: 20[Xref => http://www.securityfocus.com/bid/2527]
Is the alert a valid alert or false positive? using the Xref link *first alert is using port 443 for encryption.
Sets found in the same folder
Chapter 1 Into to Intrusion Detection
Chapter 2 Intro to TCPdump and TCP
Sets with similar terms
Intro to Network Security sixth ed chapter 11
CISSP - Types of Attacks and Viruses
OS Hardening - SEC340 chapter 3
Other sets by this creator
Intro to Snort
Quiz 3 (Snort)
Other Quizlet sets
Nutrition Final Exam CHP 14
life and health Ch. 7
Knee Part 2
Theology Chapter 2 Test (green Book)