Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible false positive?

From: "Harry M" <harrym () the-group org>
Date: Wed, 10 Dec 2003 21:55:51 -0000
I've just set up snort on my Win2k3 system for the first time, so this might
be misconfiguration :)

I'm getting alerts for rule 1112
(http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory
traversal). The destination ports do not match the contents of my HTTP_PORTS
variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID:

   ID             < Signature >                                                                   < Timestamp >         
     < Source
Address >    < Dest. Address >     < Layer 4 Proto >
   #0-(1-52)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:44:36        <removed>:59971       <removed>:4662        TCP
   #1-(1-51)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:44:33        <removed>:3974        <removed>:4662        TCP
   #2-(1-50)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:42:57        <removed>:3974        <removed>:4662        TCP
   #3-(1-49)        [arachNIDS][snort] WEB-MISC http directory traversal
2003-12-10 21:42:53        <removed>:4662        <removed>:3940        TCP

The data being logged is actually eMule traffic. I can't see anything in the
payload that makes snort's reason for logging this traffic obvious. Does
anyone know why this rule is being matched? Could it be misconfiguration or
is it a false-positive? How might I go about stopping eMule from triggering
this rule without deleting it? (It seems like a good rule to keep). This
rule's entry in the signature database states that no false positives are
known, which leads me to think that it's probably misconfiguration, but I
don't see where.

Thanks in advance!

Arta



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: