[Snort-sigs] FP in Rule 2515 ?

Esler, Joel - Contractor joel.esler at ...783...
Fri Aug 6 06:49:05 EDT 2004

I get a lot of these too, however unless it's coupled with this rule:

alert tcp any any -> any 443 (msg:"IIS5 PCT Overflow Attempt
(MS04-011)"; content: "|80 62 01 02 bd 00 01 00 01 00 16 8f 82 01 00 00
00|"; depth:17; flow:to_server,established;
classtype:attempted-admin; sid:1000627; rev:1; tag:session;)

I looks to be a false positive to me.


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Federico
Sent: Thursday, August 05, 2004 5:07 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FP in Rule 2515 ?

Hello, I recently notice some alerts on rule "2515: WEB-MISC PCT 
Client_Hello overflow attempt", but that rule is not in the Snort 
on-line database.

I would like to know if that rule could easily generate FP alerts or if 
it an very accurate rule? Since it scan SSL traffic I can't realize if 
the traffic was actually an attack or just normal traffic.

I am running 2.1 rules snapshot with the rev 9 of 2515.

                                         Federico Petronio
                                         petrus at ...2312...

This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list