[Snort-sigs] false positives for MISC BGP invalid length

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Thu Jun 19 11:30:11 EDT 2003


i have been getting a ton of false positives for this rule since the Jun 
14th rule update...
here is a sample of the packet generating the FP....
anyone have any ideas?


Meta 


ID #
Time
Triggered Signature
4 - 5407
2003-06-19 07:12:41
[url][snort] MISC BGP invalid length



Sensor
name
interface
filter
unknown:eth1
eth1
 none 



Alert
Group
  none 


IP 


source addr
  dest addr  
Ver
Hdr Len
TOS
length
ID
flags
offset
TTL
chksum


4
5
192
377
25866
0
0
255
719



FQDN
Source Name
Dest. Name





Options
    none 


TCP 


source
port
dest
  port  
R
1
R
0
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
seq #
ack
offset
res
window
urp
chksum
179
11017



X 
X 



3679937897
1504014297
5
0
15411
0
17335



Options
    none 


Payload 
 length = 337

000 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF   ................
010 : 01 00 02 00 00 00 2A 40 01 01 00 40 02 0E 02 06   ......*@... at ...552...
020 : 18 FB 0B 62 6A E4 6A E4 6A E4 6A E4 40 03 04 A8   ...bj.j.j.j. at ...253...
030 : EE 80 05 80 04 04 00 00 01 B9 40 05 04 00 00 00   .......... at ...957...
040 : 64 10 18 9A 18 18 9A 01 18 18 9A 04 18 18 9A 06   d...............
050 : 18 18 9A 0A 18 18 9A 0B 18 18 9A 19 18 18 9A 1A   ................
060 : 18 18 9A 1B 18 18 9A 1C 18 18 9A 1D 18 18 9A 1E   ................
070 : 18 18 9A 1F 18 18 9A 30 18 18 9A 32 18 18 9A 33   .......0...2...3
080 : 18 18 9A 34 18 18 9A 35 18 18 9A 36 18 18 9A 37   ...4...5...6...7
090 : 18 18 9A 38 18 18 9A 39 18 18 9A 3A 18 18 9A 3B   ...8...9...:...;
0a0 : 18 18 9A 3E 18 18 9A 3F 18 18 9A 4A 18 18 9A 4B   ...>...?...J...K
0b0 : 18 18 9A 4D 18 18 9A 6A 18 18 9A 9E 18 18 9A A0   ...M...j........
0c0 : 18 18 9A AD 18 18 9A AE 18 18 9A AF 18 18 9A C0   ................
0d0 : 18 18 9A C1 18 18 9A C2 18 18 9A C5 18 18 9A C6   ................
0e0 : 18 18 9A C7 18 18 9A D7 18 3F 43 7B 18 3F 4C BB   .........?C{.?L.
0f0 : 16 3F 55 84 18 3F 5A 5E 18 D0 EC 24 18 D0 EC 26   .?U..?Z^...$...&
100 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF   ................
110 : 00 51 02 00 00 00 36 40 01 01 00 40 02 0E 02 06   .Q....6 at ...253...@....
120 : 18 FB 0B 62 6A E4 6A E4 6A E4 6A E4 40 03 04 A8   ...bj.j.j.j. at ...253...
130 : EE 80 05 80 04 04 00 00 01 B9 40 05 04 00 00 00   .......... at ...957...
140 : 64 40 06 00 C0 07 06 FF E3 18 9A 17 01 15 18 9A   d at ...1622...
150 : 10                                                .


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030619/55c5ad57/attachment.html>


More information about the Snort-sigs mailing list