Snort mailing list archives
RE: False positive
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Mon, 18 Jul 2005 20:26:12 -0400
I only started seeing ICMP PATH MTU denial of service after the bad April version of MS MS05-019. An updated version can out in June. I expect these to largely disappear once everyone updates to the new version. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Monday, July 18, 2005 4:43 PM To: Angelita de Cássia Corrêa Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] False positive Angelita de Cássia Corrêa wrote:
Can I consider some false positives or really attempts in the alerts below? (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) IIS UNICODE CODEPOINT ENCODING attempted-recon: (http_inspect) DOUBLE DECODING ATTACK
If you see these going to YOUR webserver, probably, unless you use very odd URIs that aren't supported by all servers. If it's coming from your clients going to outside servers, it is probably not an attack. You can't really expect to know what URIs outside sites use intentionally in their own URLs. Some use really long URIs, encoded URI, etc. You should consider setting up http_inspect to only watch traffic to your servers, and set it's limits to match what your server can handle. See snort.conf and doc/README.http_inspect.
non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING
That seems odd, but I don't know much about it. Could be cause by a nonstandard service being used over port 80. (check to see if the IP of yours is running something like accessmypc, or other oddball tunnels over port 80.)
(snort_decoder): Truncated Tcp Options (snort_decoder): Tcp Options found with bad lengths
Very strange, but likely to be random corrupted garbage packets. See if it correlates with other probes or activity from the same IP. Check your serverlogs, etc.
misc-activity: ICMP PING CyberKit 2.2 Windows
No, that's an informational rule. Someone used cyberkit to perform a ping sort saw. That's slightly suspicious as it's an oddball tool, but it is not an attack. It *could* be recon, so keep an eye on that IP for attacks.
attempted-dos: ICMP PATH MTU denial of service
That's either a broken router, or someone trying to DoS you by closing up the path MTU to something tiny. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: False positive Angelita de Cássia Corrêa (Jul 18)
- Re: False positive Matt Kettler (Jul 18)
- SYN Proxy Xavier Cabrera (Jul 19)
- Re: SYN Proxy Jason Brvenik (Jul 19)
- Re: SYN Proxy Matt Kettler (Jul 19)
- Re: SYN Proxy Will Metcalf (Jul 19)
- Re: SYN Proxy Xavier Cabrera (Jul 19)
- Re: SYN Proxy Matt Kettler (Jul 20)
- Re: SYN Proxy Daniel Cid (Jul 20)
- Re: SYN Proxy Xavier Cabrera (Jul 20)
- <Possible follow-ups>
- RE: False positive Briggs, Bruce (Jul 18)