Snort mailing list archives
RE: Possible false positive?
From: "Harry M" <harrym () the-group org>
Date: Thu, 11 Dec 2003 22:57:05 -0000
I figured it out in the end - it was misconfiguration. I didn't realise that 'var HTTP_PORTS 80:4711' was specifying a range and not a list. Since eMule uses 4662 to transfer data, the port matched the rule. The content did indeed contain '..\'. I changed HTTP_PORTS to 80 and it's ok now. I shall wait to put 4711 back when snort supports proper lists for ports :) Arta -----Original Message----- From: Josh Berry [mailto:josh.berry () netschematics com] Sent: 11 December 2003 22:46 To: Harry M Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Possible false positive? Probably because the eMule program (isn't that a P2P app?) is using port 80 and HTTP commands to operate (as a lot of P2P apps do) and somewhere in the content has "..\\"
I've just set up snort on my Win2k3 system for the first time, so this might be misconfiguration :) I'm getting alerts for rule 1112 (http://www.snort.org/snort-db/sid.html?sid=1112, WEB-MISC http directory traversal). The destination ports do not match the contents of my HTTP_PORTS variable (var HTTP_PORTS 80:4711). Here is a sample, copied from ACID: ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-52) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:44:36 <removed>:59971 <removed>:4662 TCP #1-(1-51) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:44:33 <removed>:3974 <removed>:4662 TCP #2-(1-50) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:42:57 <removed>:3974 <removed>:4662 TCP #3-(1-49) [arachNIDS][snort] WEB-MISC http directory traversal 2003-12-10 21:42:53 <removed>:4662 <removed>:3940 TCP The data being logged is actually eMule traffic. I can't see anything in the payload that makes snort's reason for logging this traffic obvious. Does anyone know why this rule is being matched? Could it be misconfiguration or is it a false-positive? How might I go about stopping eMule from triggering this rule without deleting it? (It seems like a good rule to keep). This rule's entry in the signature database states that no false positives are known, which leads me to think that it's probably misconfiguration, but I don't see where. Thanks in advance! Arta ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible false positive? Harry M (Dec 11)
- Re: Possible false positive? Josh Berry (Dec 11)
- RE: Possible false positive? Harry M (Dec 15)
- Re: Possible false positive? Josh Berry (Dec 11)