Snort mailing list archives
Re: SiD:4129 - No FP - No FN but wrong
From: Crusty Saint <saintcrusty () gmail com>
Date: Tue, 29 Mar 2011 09:36:25 +0200
Hi Joel, I have rev:4 here, no updates are expected any time soon. For now there are just two occurences. Given your reply i'll have a look at the pcap and if still required forward you the data. Thanks for your constructive reply 2011/3/28 Joel Esler <jesler () sourcefire com>
What rev of the rule are you running? The copy I have (4) has a content match, two byte jumps and a byte_test. Plus there is a specific port coded into it. That's fairly specific, but I see how a FP would occur. Do you have a pcap? Joel On Mar 28, 2011, at 11:08 AM, Crusty Saint wrote: Hi, For http://www.snort.org/search/sid/4129 "EXPLOIT Novell ZenWorks Remote Management Agent large login packet DoS attempt" i see no false-positive or false-negative reported but there possibly could be one now. Though the root-cause might well be PEBKAC. I think it is safe to assume such pebkac-positive would occur when a rule is active and applied on a network not using the specified service/protocol but i also hope snort's logic is sufficiently precise to eliminate such erronous detections. Based on what i've seen in the rule the detection is based on just two bytes so i assume the FP/FN rate to be much higher (? help ?) if used on a network without related traffic present. Best Regards, Saint Crusty -- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort
-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 28)
- Re: SiD:4129 - No FP - No FN but wrong rmkml (Mar 28)
- Re: SiD:4129 - No FP - No FN but wrong Joel Esler (Mar 28)
- Re: SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 29)
- Re: SiD:4129 - No FP - No FN but wrong Joel Esler (Mar 29)
- Re: SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 29)
- Re: SiD:4129 - No FP - No FN but wrong Crusty Saint (Mar 29)