[Snort-sigs] False Positives/Packet Conversations

Jacob Roberts jake_roberts at ...1807...
Mon Oct 13 15:14:14 EDT 2003


I've had snort installed for some time now but with the Welchia/blaster
things haven't had a chance to take a good look at it.

Now I've got lots of rules turned on to try to get a feel for the
traffic on our network and I'm seeing a lot of false positives and don't
understand why.  The rule definition looks fine but its picking up these
packets anyway.  Here are some examples, I'm just including the Rule
Name/SID and the packet that shows up in ACID.  These are
typical...mostly POP3 and FTP rules are triggered.  I find that many
rules are triggered from the HTML bodies of email messages rather than
actual POP/SMTP commands.

Does snort have some sort of conversation tracking?  Our previous IDS
was bad, but it could show you a Telnet conversation.  Its nice to be
able to contact the Admins with their Root password that they sent in
plaintext. Snort just returned a tiny packet with the content
'Login:root' and that was about it.  Shouldn't there be more?

Jake


POP3 STAT overflow attempt sid=2110
 length = 62
000 : 50 4F 53 54 20 2F 73 74 61 74 69 63 2F 73 65 61   POST /static/sea
010 : 72 63 68 2E 61 73 70 20 48 54 54 50 2F 31 2E 31   rch.asp HTTP/1.1
020 : 0D 0A 41 63 63 65 70 74 3A 20 69 6D 53 54 41 54   ..Accept: imSTAT
030 : 0D 0A 55 49 44 4C 0D 0A 51 55 49 54 0D 0A         ..UIDL..QUIT..

POP3 DELE overflow attempt sid=2111
 length = 105

000 : 4C 49 53 54 20 37 0D 0A 54 4F 50 20 38 20 30 0D   LIST 7..TOP 8 0.
010 : 0A 3D 22 64 65 6C 65 74 65 54 4F 50 20 39 20 30   .="deleteTOP 9 0
020 : 0D 0A 4C 49 53 54 20 39 0D 0A 54 4F 50 20 31 30   ..LIST 9..TOP 10
030 : 20 30 0D 0A 4C 49 53 54 20 31 30 0D 0A 6D 69 64    0..LIST 10..mid
040 : 64 6C 65 22 3E 0D 0A 3C 66 6F 6E 74 20 66 61 63   dle">..<font fac
050 : 54 4F 50 20 31 32 20 30 0D 0A 4C 49 53 54 20 31   TOP 12 0..LIST 1
060 : 32 0D 0A 73 61 6E 73 2D 73                        2..sans-s






More information about the Snort-sigs mailing list