Snort mailing list archives
Re: False positives on mysql traffic
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 28 Apr 2015 19:52:30 +0000
That's really not much to go on. Maybe someone on the boards can help out. Thanks. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 [mailto:michael.jacobi1 () navy mil] Sent: Tuesday, April 28, 2015 3:12 PM To: Al Lewis (allewi); For Sinton Cc: snort-users () lists sourceforge net Subject: RE: False positives on mysql traffic I am seeing this happen between a MySQL server and client. I am not allowed to send a pcap, but the rule is: MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (sid 32609) Mike Jacobi ________________________________________ From: Al Lewis (allewi) [allewi () cisco com] Sent: Tuesday, April 28, 2015 7:37 AM To: For Sinton Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] False positives on mysql traffic Hello, Can you send us the pcap in binary format and the rule that is suspected of alerting incorrectly please? Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: For Sinton [mailto:forsin () inbox kg] Sent: Monday, April 27, 2015 11:54 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] False positives on mysql traffic Hello here is pcap traffic: 0000000: 41 00 00 00 03 53 45 4c 45 43 54 20 74 5f 5f 30 2e 2a 0a 46 52 4f 4d 20 0a 76 A....SELECT.t__0.*.FROM..v 000001A: 69 65 77 73 5f 76 69 65 77 20 74 5f 5f 30 0a 57 48 45 52 45 20 20 28 6e 61 6d iews_view.t__0.WHERE..(nam 0000034: 65 20 49 4e 20 20 28 27 70 6f 6c 6c 73 27 29 29 20 e.IN..('polls')). ----- Исходное сообщение ----- От: snort-users-request () lists sourceforge net Кому: "forsin" <forsin () inbox kg> Отправленные: Вторник, 28 Апрель 2015 г 9:52:50 Тема: Welcome to the "Snort-users" mailing list ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: False positives on mysql traffic For Sinton (Apr 27)
- Re: False positives on mysql traffic Al Lewis (allewi) (Apr 28)
- Re: False positives on mysql traffic Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Apr 28)
- Re: False positives on mysql traffic Al Lewis (allewi) (Apr 28)
- Re: False positives on mysql traffic Jacobi, Michael W CIV NSWCCD Philadelphia, 10432 (Apr 28)
- Re: False positives on mysql traffic Al Lewis (allewi) (Apr 28)