[Snort-sigs] false positive snort it 2329 ?

dara deargin at ...1934...
Fri Dec 3 08:30:02 EST 2004


Hi


I didn't understand a lot of the stuff at the link for sending reports
to this list, so if anybody wants any more information just send me the
steps I need to go through to get it for you and I will gladly help.


I'll try to explain my system and the 'potential' false positive I
suspect, as best I can.


I am using SNORT via IPCOP, the  1.4.1 CD ISO of ipco and installed it.


I have the IDS turned on in IPCOP, which is using the  'snort' engine.


Today I got this in the IPCOP IDS log :


Date:
12/02 16:21:47
Name:
MS-SQL probe
response overflow
attempt
Priority:
1
Type:
Attempted User
Privilege Gain
IP info:
193.120.x.x:5000
-> 10.0.16.x:5000
References:
none found
SID:
2329
Date:
12/02 16:21:48
Name:
MS-SQL probe
response overflow
attempt
Priority:
1
Type:
Attempted User
Privilege Gain
IP info:
193.120.x.x:5000
-> 10.0.16.x:5000
References:
none found
SID:
2329
Date:
12/02 16:22:04
Name:
MS-SQL probe
response overflow
attempt
Priority:
1
Type:
Attempted User
Privilege Gain
IP info:
193.120.x.x:5000
-> 10.0.16.x:5000
References:
none found
SID:
2329

SID 2329 is a link to http://www.snort.org/snort-db/sid.html?sid=2329 



The reason I'm reporting this is because the port (5000) in question is
used for my VPN to my company.


The 192.120.x.x address is one of the companies external access points
(a router/firewall thingy)

My address in on an internal network (10.x.x.x).



So, I was about to send this off to the company saying that perhaps
their network is compromised, or somebody inside is messing about or
using the game mentiond o nyour site that could generate this alert.


Then I wondered how they could do so. It would mean either faking the
address and port as my vpn port, or taking over it ?

But I decided it couldn't be that latter as the vpn still worked.


I wonder then, the data is encrypted on the vpn tunnel, and so this
--could-- have simply being a coincidence where some packets of
encrypted data "looked like" attack packets ??????


Would you agree with this possibility of a false positive ?


Maybe you would ilke to put it on your site, maybe not, maybe it is a
problem at my company.

Hope this is useful.

regards

d











More information about the Snort-sigs mailing list