Snort mailing list archives
Re: False positive
From: Angelita de Cássia Corrêa <angelita () uol com br>
Date: Mon, 18 Jul 2005 15:54:54 -0300
Can I consider some false positives or really attempts in the alerts below? (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) IIS UNICODE CODEPOINT ENCODING (snort_decoder): Truncated Tcp Options (snort_decoder): Tcp Options found with bad lengths attempted-recon: (http_inspect) DOUBLE DECODING ATTACK attempted-dos: ICMP PATH MTU denial of service misc-activity: ICMP PING CyberKit 2.2 Windows non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING Thanks ----- Original Message ----- From: "Angelita de Cássia Corrêa" <angelita () uol com br> To: "Joel Esler" <eslerj () gmail com> Cc: <snort-users () lists sourceforge net> Sent: Monday, July 18, 2005 12:10 PM Subject: Re: [Snort-users] False positive
The payloads don't have data. Before turn off these pre processors, I'm trying to understand them. I
need
to calculate how many false positives the snort shows. Thanks ----- Original Message ----- From: "Joel Esler" <eslerj () gmail com> To: "Angelita de Cássia Corrêa" <angelita () uol com br> Cc: <snort-users () lists sourceforge net> Sent: Monday, July 18, 2005 11:59 AM Subject: Re: [Snort-users] False positive I think the use of the words "false positive" in this instance is wrong. A false positive indicates that what alerted a rule is not what is actually taking place in traffic. The rule will alert on what you have in the rule construct. Now will the "msg" of the alert match what is actually taking place? That's what you're asking... It's not possible (hardly) to be able to tell which of the alerts are "false positives" without actual packet payload data. Joel On Jul 18, 2005, at 10:43 AM, Angelita de Cássia Corrêa wrote:I receive many of these alerts, what are really false positives? (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) IIS UNICODE CODEPOINT ENCODING (snort_decoder): Truncated Tcp Options (snort_decoder): Tcp Options found with bad lengths attempted-recon: (http_inspect) DOUBLE DECODING ATTACK attempted-dos: ICMP PATH MTU denial of service misc-activity: ICMP PING CyberKit 2.2 Windows non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING Thanks, Angelita
------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: False positive Angelita de Cássia Corrêa (Jul 18)
- Re: False positive Matt Kettler (Jul 18)
- SYN Proxy Xavier Cabrera (Jul 19)
- Re: SYN Proxy Jason Brvenik (Jul 19)
- Re: SYN Proxy Matt Kettler (Jul 19)
- Re: SYN Proxy Will Metcalf (Jul 19)
- Re: SYN Proxy Xavier Cabrera (Jul 19)
- Re: SYN Proxy Matt Kettler (Jul 20)
- Re: SYN Proxy Daniel Cid (Jul 20)
- Re: SYN Proxy Xavier Cabrera (Jul 20)
- <Possible follow-ups>
- RE: False positive Briggs, Bruce (Jul 18)