[Snort-sigs] False positive for 2460

Matthew Jonkman matt at ...2436...
Thu Jul 1 11:18:04 EDT 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
  CHAT Yahoo IM webcam request
--
Sid:
2460
--
Summary:
False positive. Audio chat messages incoming set this off. Remedying 
this may be as simple as renaming the rule to "CHAT Yahoo IM webcam or 
audio request"
--
Impact:
Audio messages are being deemed webcam connections.
--
Detailed Information:
A user that was participating in a text chat session that had audio 
messages being sent was triggering this rule.
--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Audio chat traffic will also trigger this rule.
--
False Negatives:

--
Corrective Action:
Rename rule, or look further into the protocol and see if a packet 
containing <RVWCFG> is specific to only an audio session.
--
Contributors:

-- 
Additional References:




More information about the Snort-sigs mailing list