Snort mailing list archives
Possible false positive?
From: "Harry M" <harrym () the-group org>
Date: Wed, 10 Dec 2003 21:55:51 -0000
I've just set up snort on my Win2k3 system for the first time, so this might be misconfiguration :) I'm getting alerts for rule 1112 (http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory traversal). The destination ports do not match the contents of my HTTP_PORTS variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID: ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-52) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:44:36 <removed>:59971 <removed>:4662 TCP #1-(1-51) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:44:33 <removed>:3974 <removed>:4662 TCP #2-(1-50) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:42:57 <removed>:3974 <removed>:4662 TCP #3-(1-49) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:42:53 <removed>:4662 <removed>:3940 TCP The data being logged is actually eMule traffic. I can't see anything in the payload that makes snort's reason for logging this traffic obvious. Does anyone know why this rule is being matched? Could it be misconfiguration or is it a false-positive? How might I go about stopping eMule from triggering this rule without deleting it? (It seems like a good rule to keep). This rule's entry in the signature database states that no false positives are known, which leads me to think that it's probably misconfiguration, but I don't see where. Thanks in advance! Arta ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible false positive? Harry M (Dec 11)
- Re: Possible false positive? Josh Berry (Dec 11)
- RE: Possible false positive? Harry M (Dec 15)
- Re: Possible false positive? Josh Berry (Dec 11)