Re: SiD:4129 - No FP - No FN but wrong

[rmkml <rmkml () yahoo fr>]

Hi Crusty,
Sorry Im not tested this rule, but exploit exist on metasploit... (zenworks_desktop_agent.rb)
Regards
Rmkml


On Mon, 28 Mar 2011, Crusty Saint wrote:

> Hi,
>
> For http://www.snort.org/search/sid/4129 "EXPLOIT Novell ZenWorks Remote Management Agent large login packet DoS 
> attempt" i see no false-positive or false-negative reported but there possibly could be one now. Though the root-cause
> might well be PEBKAC.
>
> I think it is safe to assume such pebkac-positive would occur when a rule is active and applied on a network not using the 
> specified service/protocol but i also hope snort's logic is sufficiently precise to eliminate such erronous
> detections.
>
> Based on what i've seen in the rule the detection is based on just two bytes so i assume the FP/FN rate to be much 
> higher (? help ?) if used on a network without related traffic present.
>
>
> Best Regards,
>
> Saint Crusty
>
>
> --
> - - -Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I 
> deserve a rant, write me off-list
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users