Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Reporting false positive for Snort rule

From: "Josh Berry" <josh.berry () netschematics com>
Date: Tue, 24 Feb 2004 10:20:45 -0600 (CST)
I was seeing thousands of these also, same situation of Netware to Netware
traffic with the same data.


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP
SYN packet"; flags:S,12; dsize:>6;
reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;
classtype:misc-activity; rev:6;)

--
Sid:
526
--
Summary:
Reporting a potential false positive
--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
I am seeing a significant # of hits on this rule, always from a NetWare
server running "DS Expert", sending to another NetWare server (being
monitored by DSExpert).  This may be due to DSExpert being an older copy,
but thought you'd want to know.  Here's the TCP data.  Destination port is
always 524, with SYN set.
000 : 74 4E 63 50 00 00 00 0F 11 11 00 FF 00 FF 00      tNcP...........

--
False Negatives:

--
Corrective Action:

--
Contributors:

--
Additional References



Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: