Re: SiD:4129 - No FP - No FN but wrong

[Crusty Saint <saintcrusty () gmail com>]

Just to make my rambling more clear.

Sigh, so far i've not come to any pcap files yet, workload sucks with faaar
less interesting stuff.

Any people in Belgium looking for a motivated security analyst can send me
an e-mail.



2011/3/29 Crusty Saint <saintcrusty () gmail com>

> Hi Joel,
>
> I have rev:4 here, no updates are expected any time soon. For now there are
> just two occurences. Given your reply i'll have a look at the pcap and if
> still required forward you the data.
>
> Thanks for your constructive reply
>
>
>
> 2011/3/28 Joel Esler <jesler () sourcefire com>
>
> > What rev of the rule are you running?  The copy I have (4) has a content
> > match, two byte jumps and a byte_test.  Plus there is a specific port coded
> > into it.  That's fairly specific, but I see how a FP would occur.
> >
> > Do you have a pcap?
> >
> > Joel
> >
> > On Mar 28, 2011, at 11:08 AM, Crusty Saint wrote:
> >
> > Hi,
> >
> > For http://www.snort.org/search/sid/4129 "EXPLOIT Novell ZenWorks Remote
> > Management Agent large login packet DoS attempt" i see no false-positive or
> > false-negative reported but there possibly could be one now. Though the
> > root-cause might well be PEBKAC.
> >
> > I think it is safe to assume such pebkac-positive would occur when a rule
> > is active and applied on a network not using the specified service/protocol
> > but i also hope snort's logic is sufficiently precise to eliminate such
> > erronous detections.
> >
> > Based on what i've seen in the rule the detection is based on just two
> > bytes so i assume the FP/FN rate to be much higher (? help ?) if used on a
> > network without related traffic present.
> >
> >
> > Best Regards,
> >
> > Saint Crusty
> >
> >
> > --
> > - - -
> > Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
> > Web Troubleshooting - If you think I deserve a rant, write me off-list
> >
> >
> > ------------------------------------------------------------------------------
> > Enable your software for Intel(R) Active Management Technology to meet the
> > growing manageability and security demands of your customers. Businesses
> > are taking advantage of Intel(R) vPro (TM) technology - will your software
> >
> > be a part of the solution? Download the Intel(R) Manageability Checker
> > today!
> > http://p.sf.net/sfu/intel-dev2devmar_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >  --
> > Joel Esler
> > http://blog.snort.org | http://vrt-blog.snort.org |
> > http://blog.clamav.net
> > Twitter: http://twitter.com/snort
>
>
> --
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
> Web Troubleshooting - If you think I deserve a rant, write me off-list


-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users