Abstract
A number of Snort security rules attempt to identify a threat by looking for a single
plain text string of characters across a broad range of IP protocols. This simple string of characters is the only condition required to trigger the rule and generate an alert.
These rules are problematic for numerous reasons including; Attackers can utilise these rules to generate a large number of false positive alerts in an attempt to mask an effective attack.
Attackers can use these rules in the passive reconnaissance or probing of your
network defences, in an attempt to determine what security devices are deployed.
The text strings being sought by these rules are trivial to create and can be introduced into a network by various legitimate means including HTTP GET requests, Telnet and email messages.
If a security device using these rules identifies the particular text strings
within the crafted network traffic, a false positive alert will be generated
but more importantly, the dropping or blocking of this traffic may now
inadvertently reveal information such as the presence of a particular security
system on your network.
Security White Paper IPS Discovery and Passive Reconnaissance : IPS Discovery and Passive Reconnaissance
idappcom limited
Barham Court, Teston, Kent ME18 5BZ. UK
t: +44 (0)203 355 6804
Toll Free USA: 1 888 433 8835
Freephone UK: 0800 680 0791
Worldwide: +1 321 985 1511
OR +44 203 355 6804
e: [email protected]
www.idappcom.com