Re: SiD:4129 - No FP - No FN but wrong

[Joel Esler <jesler () sourcefire com>]

If in doubt about a rule, we are always willing to look at it if. Full session pcaps are preferred, but anything may 
help. 

-- 
Sent from my iPad
Please excuse the brevity

On Mar 29, 2011, at 3:36 AM, Crusty Saint <saintcrusty () gmail com> wrote:

> Hi Joel,
>
> I have rev:4 here, no updates are expected any time soon. For now there are just two occurences. Given your reply 
> i'll have a look at the pcap and if still required forward you the data.
>
> Thanks for your constructive reply
>
>
> 2011/3/28 Joel Esler <jesler () sourcefire com>
> What rev of the rule are you running?  The copy I have (4) has a content match, two byte jumps and a byte_test.  Plus 
> there is a specific port coded into it.  That's fairly specific, but I see how a FP would occur.
>
> Do you have a pcap?
>
> Joel
>
> On Mar 28, 2011, at 11:08 AM, Crusty Saint wrote:
>
> > Hi,
> >
> > For http://www.snort.org/search/sid/4129 "EXPLOIT Novell ZenWorks Remote Management Agent large login packet DoS 
> > attempt" i see no false-positive or false-negative reported but there possibly could be one now. Though the 
> > root-cause might well be PEBKAC.
> >
> > I think it is safe to assume such pebkac-positive would occur when a rule is active and applied on a network not 
> > using the specified service/protocol but i also hope snort's logic is sufficiently precise to eliminate such 
> > erronous detections.
> >
> > Based on what i've seen in the rule the detection is based on just two bytes so i assume the FP/FN rate to be much 
> > higher (? help ?) if used on a network without related traffic present.
> >
> >
> > Best Regards,
> >
> > Saint Crusty
> >
> >
> > -- 
> > - - -
> > Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I 
> > deserve a rant, write me off-list
> >
> > ------------------------------------------------------------------------------
> > Enable your software for Intel(R) Active Management Technology to meet the
> > growing manageability and security demands of your customers. Businesses
> > are taking advantage of Intel(R) vPro (TM) technology - will your software 
> > be a part of the solution? Download the Intel(R) Manageability Checker 
> > today! http://p.sf.net/sfu/intel-dev2devmar_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
> Twitter: http://twitter.com/snort
>
>
>
>
> -- 
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I 
> deserve a rant, write me off-list
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users