[Snort-sigs] Possible false positives experienced on rule SID 1841 ???

b at ...2095... b at ...2095...
Tue Dec 30 07:50:19 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
   alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
--
Sid:
   1841
--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
   I think that I am receiving false positives because I have been
   known to use KAzaaLite in the past, and some of the other clients
   trying to connect to me are using the ability inherent in Kazaa
   to use port 80 outbound, in attempt (mostly successful I guess?)
   to bypass whatever filewall's security that they are behind? These
   clients seem to be triggering this rule!
--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031230/ba08526c/attachment.html>


More information about the Snort-sigs mailing list