Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
The signature generates false positives on DNS traffic.An example is a DNS query with an Transaction ID: 0xE30FAt networks with a lot of DNS traffic the signature will produces 30+ alarms per day.
We're getting alarms with Victim address = n/a and attacker/victim port = n/a for this signature. We've tried to change the Event count key to "Attacker and victim addresses" and/or "Attacker and victim addresses and ports" but there are still alot o...
This signatures seems to fire towards FTP servers with a welcome message before the login prompt.E.g.Connected to 127.0.0.1.220-##220-##220-*--------------------------------------------------------------------------------*220-*-----------------------...
I want this signature to have the old behaviour as it had in 4.x. So I changed the Keys from Axxx to Axxp. Also I wanted to exclude port 80 and 443 entirely, so I added 0-79,81-442,444-65535 to Port Range.This does not seem to work. The following sce...
Ehh? So just because there already are a lot of bad quality signatures we should accept more?I guess the current engines can't handle this type of advanced signatures and that's too bad. Several competitors are making way more advanced signatures.
How about modifying the signature so it wont look at the transaction ID for DNS traffic? - A lot better than having everyone with a Cisco IDS/IPS sensor to add filters or change the ports.Yes I agree, signature quality is sometimes really poor. This ...
Great Another meta signature that would be useful is something like "FTP Successful brute force". Consisting of signatures 6250 (FTP Auth. Failure) and 5846 (FTP 230 Reply Code) to detect successful brute force attempts.
Looking at signature 5846 (FTP 230 Reply Code) and the regexp "230 [Uu][Ss][Ee][Rr] ".A FTP server is not enforced to have the string User after a 230 response code.. so this signature will only detect successful logins to some FTP servers :(.
