Snort mailing list archives
Re: Common false positives
From: Matt Kettler <mkettler () EVI-INC COM>
Date: Tue, 25 Feb 2003 12:06:41 -0500
Well, there's lots of common "non-issue" cases..In general, your first hint should be to look at the classification of the rule that fired..
classifications like "not-suspicious" should be obvious.
Next, there's a couple super-common cases that trigger rules in non-issue
cases:
ICMP Large ICMP Packet - commonly false alerted by speedera, this case will be a large icmp echo request directed to your DNS server containing a data payload of all 00's.
anything in icmp-info.rules is informational.. if you turn on these rules in your config they generally do NOT indicate an attack.
EXPERIMENTAL WEB-CLIENT javascript URL host spoofing attempt - some sane javascript code still triggers this. post 1.9.0 rule-file releases have dropped the experimental tag, but I personally can't see why.
and some "so-common I ignore them" attacks:WEB-CGI formmail access - this goes off a lot as spammers attempt to check if you have formmail.pl. It will fire on access attempt, not success. If you don't have formmail on your site, this does represent a likely attempt to abuse your system, but it's noisy. If you have formmail, and know that it's a secure version, this is super noisy.
WEB-MISC http directory traversal - This goes off constantly due to worms like codered. They are likely to be real attacks, but if your server is known to be immune, this is silly. Ditto goes for cmd.exe access, vti_bin access, and a whole pile of other web-worm attacks that target the foolish. If you run an unpatched version of IIS, well.. you're a fool, and you need to worry about these.
At 09:10 AM 2/25/2003 -0700, you wrote:
Hello all&.I was simply wondering if those of you with more experience with snort could share some of the rules that are generally found to be false positives. I'm learning to weed through all this information, and would like to be able to narrow my search a bit.Thanks! John Cherbini
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Common false positives John Cherbini (Feb 25)
- Re: Common false positives Matt Kettler (Feb 25)
- Re: Common false positives Bennett Todd (Feb 25)
- <Possible follow-ups>
- RE: Common false positives Schmehl, Paul L (Feb 25)