[Snort-sigs] false positives

Mark Gilbert mark.vyner at ...2377...
Tue Apr 6 19:51:05 EDT 2004


hi all,

 I getting alot of alert base on the rule below

**] [1:2376:1] EXPLOIT ISAKMP first payload certificate request length
overflow  attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
04/07-10:21:29.777878 external:500 -> branch office :500
UDP TTL:61 TOS:0x0 ID:30317 IpLen:20 DgmLen:200
Len: 172
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0040][Xref => ht
tp://www.securityfocus.com/bid/9582]

All my checkpoints have been updated to the latest version.

I'm running

Freebsd 5.1
snort 2.1.2
latest snort rules ( downloaded 2 day ago )

Any ideas??

Mark


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040406/6b7ed3e4/attachment.html>


More information about the Snort-sigs mailing list