Re: FPs on 13711-13713

[waldo kitty <wkitty42 () windstream net>]

On 8/26/2010 16:12, Castle, Shane wrote:
> The recently added rules 13711, 13712, and 13713 all exhibit FP behavior
> for the google chat application, google Talk, using XMPP.

wow.. really??? that would seem to indicate that they are, in the first place, 
using the mysql TCP port of 3306 for their communications... if so, that doesn't 
seem nice at all...

those rules check for the non-existence of several flowbits... could that be 
part of the problem if you have the rules that set those flowbits disabled??

i do note that those rules do set flowbit sslv2.client_hello.request but that's 
not one of the ones being checked...

> Attached are pcaps.

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users