[Snort-sigs] False positive on SID 469 (ICMP ping nmap)

Nigel Houghton nigel at ...435...
Mon Oct 6 18:12:02 EDT 2003


Thanks Nick.

Can anyone verify this information? If so, I will gladly add this to the
false positives section in the docs.

For anyone using their products, according to their FAQ, these are the IP
addresses of the relevant servers:

1) Servers that avast! connects to:
URL: http://www.asw.cz/iavs4pro
IP: 195.70.130.34

URL: http://www.avast.com/iavs4pro
IP: 66.98.166.72

URL: http://www.iavs.net/iavs4pro
IP: 207.44.156.15

URL: http://www.iavs.cz/iavs4pro
IP: 62.168.45.69

FAQ says it will also try a ping every 40 seconds if it doesn't get a
reply (that's a potential avalanche of false positives) and goes for an
update if it can connect, it repeats the process every four hours.

Around Tomorrow Niklas Schiffler said:

NS :Hi,
NS :
NS :i don't know if this is the right place to report this:
NS :
NS :The online update function of Avast Antivirus (www.avast.com) generates
NS :false positives on SID 469. It seems to use a ICMP ping message with data
NS :size 0 to check if www.avast.com can be reached.
NS :
NS :nick..
NS :
NS :
NS :
NS :
NS :-------------------------------------------------------
NS :This sf.net email is sponsored by:ThinkGeek
NS :Welcome to geek heaven.
NS :http://thinkgeek.com/sf
NS :_______________________________________________
NS :Snort-sigs mailing list
NS :Snort-sigs at lists.sourceforge.net
NS :https://lists.sourceforge.net/lists/listinfo/snort-sigs
NS :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister

Message dated: Oct 6




More information about the Snort-sigs mailing list