[Snort-sigs] Reporting false positive for Snort rule

Dan Thorson dan.thorson at ...2264...
Tue Feb 24 06:54:26 EST 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flags:S,12; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:6;)

--
Sid:
526
--
Summary:
Reporting a potential false positive
--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
I am seeing a significant # of hits on this rule, always from a NetWare server running "DS Expert", sending to another NetWare server (being monitored by DSExpert).  This may be due to DSExpert being an older copy, but thought you'd want to know.  Here's the TCP data.  Destination port is always 524, with SYN set.
000 : 74 4E 63 50 00 00 00 0F 11 11 00 FF 00 FF 00      tNcP...........

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040224/cf018ea2/attachment.html>


More information about the Snort-sigs mailing list