Re: FPs on XML PHP signatures.

[Joel Esler <joel.esler () sourcefire com>]

Are you using Barnyard??

Joel



On Dec 7, 2005, at 12:25 PM, qwerty qwertytrewq wrote:

> Hi list.
>
> The XML PHP signatures from both VRT and Bleeding Snort (sid 3827  
> rev 1 and sid 2002158 rev 4) have been triggering fine for a couple  
> of months on my sensor.
> But recently they have produced some FPs on what lookes like  
> perfectly legal traffic.
>
> Here is a dump of traffic that both sigs triggered on:
>
> 0000  00 00 0c 07 ac 01 00 04  23 09 11 7c 08 00 45 00   ........  
> #..|..E.
> 0010  01 88 78 a6 40 00 7d 06  52 df 8b 6c f4 85 d8 28   ..x.@.}.  
> R..l...(
> 0020  d8 cf 85 f7 00 50 3c b0  a9 2a 5b 55 f2 37 50 18   .....P<. .* 
> [U.7P.
> 0030  43 54 55 fd 00 00 47 45  54 20 2f 70 6c 61 79 65   CTU...GE  
> T /playe
> 0040  72 73 2f 61 77 61 72 64  73 2f 53 69 6c 76 65 72   rs/award s/ 
> Silver
> 0050  4d 65 64 61 6c 2e 67 69  66 20 48 54 54 50 2f 31   Medal.gi f  
> HTTP/1
> 0060  2e 30 0d 0a 56 69 61 3a  20 31 2e 30 20 53 50 52   .0..Via:   
> 1.0 SPR
> 0070  58 30 32 2c 20 31 2e 30  20 53 50 52 58 30 31 0d   X02, 1.0   
> SPRX01.
> 0080  0a 49 66 2d 4e 6f 6e 65  2d 4d 61 74 63 68 3a 20   .If-None - 
> Match:
> 0090  22 36 33 64 37 32 2d 33  63 37 2d 33 65 32 37 35   "63d72-3  
> c7-3e275
> 00a0  33 34 33 22 0d 0a 55 73  65 72 2d 41 67 65 6e 74   343"..Us  
> er-Agent
> 00b0  3a 20 4d 6f 7a 69 6c 6c  61 2f 34 2e 30 20 28 63   : Mozill a/ 
> 4.0 (c
> 00c0  6f 6d 70 61 74 69 62 6c  65 3b 20 4d 53 49 45 20   ompatibl  
> e; MSIE
> 00d0  36 2e 30 3b 20 57 69 6e  64 6f 77 73 20 4e 54 20   6.0; Win  
> dows NT
> 00e0  35 2e 31 29 0d 0a 48 6f  73 74 3a 20 67 6f 74 6d   5.1)..Ho  
> st: gotm
> 00f0  2e 63 69 76 66 61 6e 61  74 69 63 73 2e 6e 65 74   .civfana  
> tics.net
> 0100  0d 0a 49 66 2d 4d 6f 64  69 66 69 65 64 2d 53 69   ..If-Mod  
> ified-Si
> 0110  6e 63 65 3a 20 46 72 69  2c 20 31 37 20 4a 61 6e   nce: Fri ,  
> 17 Jan
> 0120  20 32 30 30 33 20 30 30  3a 35 30 3a 31 31 20 47    2003 00 : 
> 50:11 G
> 0130  4d 54 0d 0a 41 63 63 65  70 74 3a 20 2a 2f 2a 0d   MT..Acce  
> pt: */*.
> 0140  0a 52 65 66 65 72 65 72  3a 20 68 74 74 70 3a 2f   .Referer :  
> http:/
> 0150  2f 77 77 77 2e 63 69 76  66 61 6e 61 74 69 63 73   /www.civ  
> fanatics
> 0160  2e 63 6f 6d 2f 0d 0a 41  63 63 65 70 74 2d 4c 61   .com/..A  
> ccept-La
> 0170  6e 67 75 61 67 65 3a 20  6e 6f 0d 0a 43 6f 6e 6e   nguage:   
> no..Conn
> 0180  65 63 74 69 6f 6e 3a 20  4b 65 65 70 2d 41 6c 69   ection:   
> Keep-Ali
> 0190  76 65 0d 0a 0d 0a                                  ve....
>
> Perfmon shows no sign of the sensor being stressed, both mbit/sec  
> and packet loss are
> producing normal numbers. No peaks whatsoever.
>
> Anyone else experienced FPs on these signatures?
>
> Thanks!
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's  
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users