Re: Possible false positive?

["Josh Berry" <josh.berry () netschematics com>]

Probably because the eMule program (isn't that a P2P app?) is using port
80 and HTTP commands to operate (as a lot of P2P apps do) and somewhere in
the content has "..\\"

> I've just set up snort on my Win2k3 system for the first time, so this
> might
> be misconfiguration :)
>
> I'm getting alerts for rule 1112
> (http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory
> traversal). The destination ports do not match the contents of my
> HTTP_PORTS
> variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID:
>
>    ID                   < Signature >                                                                   < Timestamp > 
>              < Source
> Address >    < Dest. Address >     < Layer 4 Proto >
>    #0-(1-52)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:44:36        <removed>:59971       <removed>:4662        TCP
>    #1-(1-51)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:44:33        <removed>:3974        <removed>:4662        TCP
>    #2-(1-50)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:42:57        <removed>:3974        <removed>:4662        TCP
>    #3-(1-49)        [arachNIDS][snort] WEB-MISC http directory traversal
> 2003-12-10 21:42:53        <removed>:4662        <removed>:3940        TCP
>
> The data being logged is actually eMule traffic. I can't see anything in
> the
> payload that makes snort's reason for logging this traffic obvious. Does
> anyone know why this rule is being matched? Could it be misconfiguration
> or
> is it a false-positive? How might I go about stopping eMule from
> triggering
> this rule without deleting it? (It seems like a good rule to keep). This
> rule's entry in the signature database states that no false positives are
> known, which leads me to think that it's probably misconfiguration, but I
> don't see where.
>
> Thanks in advance!
>
> Arta
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users