[Snort-sigs] False positive in sid:1448

Nigel Houghton nigel at ...435...
Thu Aug 12 10:43:10 EDT 2004


On  0, Federico Petronio <petrus at ...2312...> allegedly wrote:
> Hello,
> 
> I would like to ask about sid 1448, I read in snort database that:
> 
> "This event is generated when a malicious packet is sent to the 
> Microsoft Terminal Server port."
> 
> The "malicious" part is this 100% accurate? could normal terminal server 
> traffic trigger that rule?

It's possible and that would be called a false positive. Now, if you think
you have legitimate traffic causing the rule to generate events, we need
some details so we can either tune the rule further or add a note to the
document.

> I am running sid:1448 rev.10 and snort-2.1.3
> 
> Thanks a lot.
> -- 
>                                         Federico Petronio
>                                         petrus at ...2312...
 
+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+




More information about the Snort-sigs mailing list