Snort mailing list archives

Re: False positive

From: Angelita de Cássia Corrêa <angelita () uol com br>
Date: Mon, 18 Jul 2005 15:54:54 -0300

Can I consider some false positives or really attempts in the alerts below?

(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
attempted-recon: (http_inspect) DOUBLE DECODING ATTACK
attempted-dos: ICMP PATH MTU denial of service
misc-activity: ICMP PING CyberKit 2.2 Windows
non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING


Thanks


----- Original Message ----- 
From: "Angelita de Cássia Corrêa" <angelita () uol com br>
To: "Joel Esler" <eslerj () gmail com>
Cc: <snort-users () lists sourceforge net>
Sent: Monday, July 18, 2005 12:10 PM
Subject: Re: [Snort-users] False positive

The payloads don't have data.

Before turn off these pre processors, I'm trying to understand them. I

need

to calculate how many false positives the snort shows.

Thanks

----- Original Message ----- 
From: "Joel Esler" <eslerj () gmail com>
To: "Angelita de Cássia Corrêa" <angelita () uol com br>
Cc: <snort-users () lists sourceforge net>
Sent: Monday, July 18, 2005 11:59 AM
Subject: Re: [Snort-users] False positive

I think the use of the words "false positive" in this instance is
wrong.  A false positive indicates that what alerted a rule is not what
is actually taking place in traffic.  The rule will alert on what you
have in the rule construct.  Now will the "msg" of the alert match what
is actually taking place?  That's what you're asking...

It's not possible (hardly) to be able to tell which of the alerts are
"false positives" without actual packet payload data.

Joel

On Jul 18, 2005, at 10:43 AM, Angelita de Cássia Corrêa wrote:

I receive many of these alerts, what are really false positives?

(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
attempted-recon: (http_inspect) DOUBLE DECODING ATTACK
attempted-dos: ICMP PATH MTU denial of service
misc-activity: ICMP PING CyberKit 2.2 Windows
non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING

Thanks,
Angelita







-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: False positive Angelita de Cássia Corrêa (Jul 18)
- Re: False positive Matt Kettler (Jul 18)
- SYN Proxy Xavier Cabrera (Jul 19)
  - Re: SYN Proxy Jason Brvenik (Jul 19)
  - Re: SYN Proxy Matt Kettler (Jul 19)
    - Re: SYN Proxy Will Metcalf (Jul 19)
    - Re: SYN Proxy Xavier Cabrera (Jul 19)
    - Re: SYN Proxy Matt Kettler (Jul 20)
    - Re: SYN Proxy Daniel Cid (Jul 20)
    - Re: SYN Proxy Xavier Cabrera (Jul 20)
- <Possible follow-ups>
- RE: False positive Briggs, Bruce (Jul 18)