Snort mailing list archives
Re: [Snort-sigs] Reporting false positive for Snort rule
From: "Josh Berry" <josh.berry () netschematics com>
Date: Tue, 24 Feb 2004 10:20:45 -0600 (CST)
I was seeing thousands of these also, same situation of Netware to Netware traffic with the same data.
# This is a template for submitting snort signature descriptions to # the snort.org website # # Ensure that your descriptions are your own # and not the work of others. References in the rules themselves # should be used for linking to other's work. # # If you are unsure of some part of a rule, use that as a commentary # and someone else perhaps will be able to fix it. # # $Id$ # # Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flags:S,12; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526; classtype:misc-activity; rev:6;) -- Sid: 526 -- Summary: Reporting a potential false positive -- Impact: -- Detailed Information: -- Affected Systems: -- Attack Scenarios: -- Ease of Attack: -- False Positives: I am seeing a significant # of hits on this rule, always from a NetWare server running "DS Expert", sending to another NetWare server (being monitored by DSExpert). This may be due to DSExpert being an older copy, but thought you'd want to know. Here's the TCP data. Destination port is always 524, with SYN set. 000 : 74 4E 63 50 00 00 00 0F 11 11 00 FF 00 FF 00 tNcP........... -- False Negatives: -- Corrective Action: -- Contributors: -- Additional References
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-sigs] Reporting false positive for Snort rule Josh Berry (Feb 24)