TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
That's an excellent suggestion, isolate the signatures which are giving false positives all the time , and make the signature data base optimized. It will definitely make the life of IDS monitoring guys much more easier .... :-) Cheers Rajesh >From: [EMAIL PROTECTED] >To: Paul Van Gurp <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: RE: RE: RE: Is it worth keeping Http Shell signature in network >senso rs? >Date: Fri, 28 Jun 2002 11:48:49 -0500 > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > >This is an excellent point. We've complained before that even connection >events aren't correct (ie SYN-ACK packets trigger it, not just SYN >packets), and this same problem shows up in a *lot* of cases such as the >random source port you describe. The port number-based signatures are the >worst, but the principle applies to a *lot* of overly broad signatures that >should be tightened. > >We should perhaps compile a list of the signatures that most frequently >show false positives and send this to ISS for review -- via normal support >channels, not via the forum. Maybe that will catch the attention of the >decision-makers. FWIW, I hear similar complaints from their MIDS people as >well. > >-----Original Message----- >From: Paul Van Gurp <[EMAIL PROTECTED]> >Sent: Friday, June 28, 2002 11:02 AM >To: Kyle R. Maxwell/EMPL/TX/Verizon@VZNotes;Eric Ballantyne ><[EMAIL PROTECTED]>;rajesh vasudevan ><[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED] >Subject: RE: RE: Is it worth keeping Http Shell signature in network >senso rs? > > >I think this was just an example of bad signatures but is just the tip of >the iceberg. There are too many signatures that seem to trigger on simply >the port numbers in use or some other combination of events that happen all >too frequently...take for example the HTTP_History signature...it triggers >on the word "history" in the URL...and many others. These simple >signatures >(the port ones for example) don't seem to identify the state of the >connection and for example will sometimes consider a buffer overflow >attempt >on some service which uses port 6223 but didn't notice that this was a >random source port chosen by the workstation...ie 1.2.3.4:80 -> >5.6.7.8:6223... > >Seems there are an awful lot of these types of signatures that could use >improvement... > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >Sent: Friday, June 28, 2002 10:33 AM >To: Eric Ballantyne; 'Paul Van Gurp'; rajesh vasudevan >Cc: [EMAIL PROTECTED] >Subject: RE: RE: Is it worth keeping Http Shell signature in network >sensors? > > >ISS suggested that the HTTP_Cisco_Catalyst_Exec signature is tunable. We >added "varzea" to the list of excluded directories ("obidos" was already on >there, and both of these are used extensively by Amazon.com) and that has >cut *way* down on our false positives in the last few days. > >HTTP_Shells still needs work and they've promised us to review it for the >next XPU. Whether it has any effect (or how much of one it has) remains to >be seen, of course. We've discussed some of these problems with their VP of >Development as well and hope to see progress on this in the near future. > >-----Original Message----- >From: Eric Ballantyne <[EMAIL PROTECTED]> >Sent: Friday, June 28, 2002 9:21 AM >To: "'Paul Van Gurp'" ><[EMAIL PROTECTED]>;"'[EMAIL PROTECTED]'" ><[EMAIL PROTECTED]>;rajesh vasudevan ><[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED];[EMAIL PROTECTED] >Subject: RE: Is it worth keeping Http Shell signature in network >sensors? > > >I have to agree with all of the comments listed below. Even after trying >several attempts at fine tuning both events, I have a 95%-99% false >positive >rate on both signatures. Even after several upgrades and XPU's I haven't >seen any improvement. > >-----Original Message----- >From: Paul Van Gurp [mailto:[EMAIL PROTECTED]] >Sent: Thursday, June 27, 2002 6:26 AM >To: '[EMAIL PROTECTED]'; rajesh vasudevan >Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: RE: Is it worth keeping Http Shell signature in network >sensors? > > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > > > >I also agree. The HTTP_Shells and Cisco alert referred to below should be >tuned or removed as they are false 99.99% of the time in my environment. > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, June 26, 2002 1:42 PM >To: rajesh vasudevan >Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: Re: Is it worth keeping Http Shell signature in network >sensors? > > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > > > >We've seen almost completely false positives here as well, especially >related to Yahoo! (evidently some of their graphics files have a directory >called "sh" in the path), and the Java problem is even more egregious. > >We have similar problems with the HTTP_Cisco_Catalyst_Exec signature and >Amazon.com, since the signature triggers on any URL where the object starts >with "/exec". Both of these signatures are overly broad IMO and should be >tightened to reduce the false positive rate. > > > > > > "rajesh vasudevan" > > <rajeshvasudevan@h To: [EMAIL PROTECTED] > > otmail.com> cc: > > Sent by: Subject: Is it worth >keeping Http Shell signature in network sensors? > > owner-issforum@iss > > .net > > > > > > 06/25/2002 02:13 > > AM > > > > > > > > > > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any >problems! >---------------------------------------------------------------------------- > > > > >Hi, > >This is about HTTP_SHELL signature, which I feel not doing its function. > >This signature is capturing the traffic with URLs which contains "sh" or >"java". Real secure gives an explanation to the event that this signature >detects an attempt to get shells to execute commands. >But if the signature detects any URL with entries like >"/docs/api/java/util/Date.html" as an attempt to invoke Shell interpreter, >then it raises a serious concern about the reliability of that signature. >So far I couldn't find a single attempt related to this event which seems >to be a genuine one. > >I had gone through the mailing list archives also, I could see the same >queries were raised before.. But nobody ( even ISS Support) could give a >clear explanation about this or any modification on this signature. > >I request you to give your feedbacks / experience on this signature, so >that >if this signature proves to be useless, then I need to remove it from the >policy file and hence I can save a good amount of hard disk space !!! > > >Cheers > >Rajesh > > > > >_________________________________________________________________ >MSN Photos is the easiest way to share and print your photos: >http://photos.msn.com/support/worldwide.aspx _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
