Snort mailing list archives
Re: FPs on 13711-13713
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 26 Aug 2010 18:53:25 -0400
On 8/26/2010 16:12, Castle, Shane wrote:
The recently added rules 13711, 13712, and 13713 all exhibit FP behavior for the google chat application, google Talk, using XMPP.
wow.. really??? that would seem to indicate that they are, in the first place, using the mysql TCP port of 3306 for their communications... if so, that doesn't seem nice at all... those rules check for the non-existence of several flowbits... could that be part of the problem if you have the rules that set those flowbits disabled?? i do note that those rules do set flowbit sslv2.client_hello.request but that's not one of the ones being checked...
Attached are pcaps.
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FPs on 13711-13713 Castle, Shane (Aug 26)
- Re: FPs on 13711-13713 waldo kitty (Aug 26)
- Re: FPs on 13711-13713 Castle, Shane (Aug 27)
- Re: FPs on 13711-13713 waldo kitty (Aug 26)