Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: false positives

From: Vail () gmx net
Date: Tue, 7 Aug 2001 13:46:16 +0200 (MEST)
greetings,

after i installed snort-1.8p1 on an openbsd box and configured some rules 
i get the following false positives (see below). I wonder what services
could create such false positives...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[**] [1:530:2] NETBIOS NT NULL session [**]
[Classification: Attempted Information Leak] [Priority: 3]
08/06-21:49:55.395977 0:50:4:48:2A:A6 -> 0:1:2:7:F2:1 type:0x800 len:0xEE
192.168.2.116:3152 -> 192.168.2.50:139 TCP TTL:128 TOS:0x1C ID:937
IpLen:20
DgmLen:224 DF
***AP*** Seq: 0xCA59  Ack: 0x37F46A8  Win: 0x21D9  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/1163]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2000-0347]
[Xref => http://www.whitehats.com/info/IDS204]
 
 
192.168.2.116 just a NT 4.0 Client
192.168.2.50 Fileserver/PDC
 
I think it could be some sort of process which uses IPC 
communications or something like that.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[**] [1:254:1] DNS SPOOF query response with ttl [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/07-14:49:28.183468 0:1:2:7:F2:1 -> 0:1:2:B5:53:8C type:0x800 len:0x5D
192.168.2.50:53 -> 192.168.2.68:2329 UDP TTL:128 TOS:0x0 ID:48283 IpLen:20
DgmLen:79
Len: 59
 
same situation as above, a client connects the pdc/fileserver. Nobody here
is even aware of what DNS-Spoofing is... so it must be a false positive. 
What could it be?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
08/06-21:51:39.248579 0:50:4:48:2A:A6 -> 0:8:C7:28:B:A9 type:0x800
len:0x76
192.168.2.116:2992 -> 192.168.2.11:139 TCP TTL:128 TOS:0x1C ID:3516
IpLen:20
DgmLen:104 DF
***AP*** Seq: 0x1AA771  Ack: 0xF87316  Win: 0x2238  TcpLen: 20

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
08/07-15:47:05.861621 0:50:4:48:2A:A6 -> 0:8:C7:1E:44:B0 type:0x800
len:0x1B8
192.168.2.116:1152 -> 213.83.6.2:80 TCP TTL:128 TOS:0x10 ID:44336 IpLen:20
DgmLen:426 DF
***AP*** Seq: 0x9BB2  Ack: 0xE7C2948E  Win: 0x2238  TcpLen: 20
 
Where can i read more about alerts like this when thereĀ“s no Xref => ? Can
someone explain this 2 please?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
my best regards
marion
 

-- 
Aufgepasst - jetzt viele 1&1 New WebHosting Pakete ohne
Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung!
http://puretec.de/index.html?ac=OM.PU.PU003K00736T0492a


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: