[Snort-sigs] False +ves for various rules...

Russell Fulton r.fulton at ...575...
Sun Jun 27 14:23:03 EDT 2004


Below is a sample of captures of packets that caused alerts that I
believe are false positives. I've just included one packet from each
rule, if you want more please ask.  In all these cases we are seeing
lots of hits from what appear to be legitimate clients.

All this stuff is in a mysql database hence the printed packet dumps. 
If you need pcap format dumps for testing I could eaily put up another
snort instance with just these rule and collect them in a pcap file and
send that in.

Russell.

========================================================================
SID
CID
TimeStamp
Signature
Sig ID
1
1956218
2004-06-28
06:15:48
IMAP PCT
Client_Hello
overflow
attempt
2517

IP
Source Address
Dest Address
Ver
Hdr   Len
TOS
length
ID
flags
offset
TTL
chksum
202.74.205.192
130.216.191.126
4
5
32
78
65213
2
0
123
9834
Resolved Source
Resolved Dest
202-74-205-192.adsl.woosh.co.nz 
postbox.auckland.ac.nz 
TCP
Source Port
Dest Port
Seq
Ack
Offset
Reserved
Flags
Window
Checksum
Urgent Ptr
4580
993
1554994903
2243001659
5
0
24
1500
27099
0
Options
None
Flags

RB 1
RB 0
URG
ACK
PSH
RST
SYN
FIN



    X
    X



DATA
1703010021680BDBC251

FA8F0268FFE09ADAC6F3

1CA3918FF9FB161066FB


....!h...Q

...h......

........f.
=======================================================================
SID
CID
TimeStamp
Signature
Sig ID
1
1955025
2004-06-27
22:19:35
IMAP SSLv3
invalid
Client_Hello
attempt
2531
Sensor Hostname
Sensor Interface
takahe.itss.auckland.ac.nz
1
IP
Source
Address
Dest
Address
Ver
Hdr
Len
TOS
length
ID
flags
offset
TTL
chksum
219.88.135.192
130.216.191.127
4
5
32
142
16720
2
0
117
7817
Resolved Source
Resolved Dest
port-219-88-135-192.value.net.nz 
mail.ec.auckland.ac.nz 
TCP
Source
Port
Dest
Port
Seq
Ack
Offset
Reserved
Flags
Window
Checksum
Urgent
Ptr
1930
993
3676272544
2851360356
5
0
24
8760
54492
0
Options
None
Flags

RB 1
RB 0
URG
ACK
PSH
RST
SYN
FIN



    X
    X



DATA
16030100610100005D03

0140DEA14A93B793D7E2

7D4D15CBE36252207689

DB370A3748F042245BE5

1D612620A668EE74EE3E

7CD0F5B299F37188E680

FAFE010507A6CA3935EB

8202357838EA00160004

0005000A000900640062

00030006001300120063

....a...].

. at ...2592...

}M...bR v.

.7.7H.B$[.

.a& .h.t.>

|.....q...

.......95.

..5x8.....

.......d.b

.........c

=======================================================================
SID
CID
TimeStamp
Signature
Sig ID
1
1954438
2004-06-27
18:58:59
PO3 PCT
Client_Hello
overflow
attempt
2518
Sensor Hostname
Sensor Interface
takahe.itss.auckland.ac.nz
1
IP
Source
Address
Dest
Address
Ver
Hdr
Len
TOS
length
ID
flags
offset
TTL
chksum
219.88.207.168
130.216.33.150
4
5
32
118
4378
2
0
55
58072
Resolved Source
Resolved Dest
219-88-207-168.adsl.ihug.co.nz 
csmail.cs.auckland.ac.nz 
TCP
Source
Port
Dest
Port
Seq
Ack
Offset
Reserved
Flags
Window
Checksum
Urgent
Ptr
11038
995
2045782667
3940123848
8
0
24
8688
23675
0
Options
##
Code
Length
Data
0
No Operation
0

1
No Operation
0

2
TSOPT - Time Stamp
Option
10
00AC3A9038327C32
Flags

RB 1
RB 0
URG
ACK
PSH
RST
SYN
FIN



    X
    X



DATA
170301001860CD45E781

F48FD5059CB82D93676E

028E3A10420EB08CFB17

0301002017AAADB0A862

DB7D4F981E57691C6E99

85F5E8A5F131AB2EDA94



.....`.E..

......-.gn

..:.B.....

... .....b

.}O..Wi.n.

.....1....

=========================================================================
SID
CID
TimeStamp
Signature
Sig ID
1
1956255
2004-06-28
07:14:17
SMTP TLS PCT
Client_Hello
overflow
attempt
2528
Sensor Hostname
Sensor Interface
takahe.itss.auckland.ac.nz
1
IP
Source
Address
Dest
Address
Ver
Hdr
Len
TOS
length
ID
flags
offset
TTL
chksum
195.170.70.19
130.216.1.12
4
5
0
69
47919
2
0
39
2786
Resolved Source
Resolved Dest
mail.nextra.at 
mailhost.auckland.ac.nz 
TCP
Source
Port
Dest
Port
Seq
Ack
Offset
Reserved
Flags
Window
Checksum
Urgent
Ptr
54945
25
570507681
2148821060
5
0
24
33580
2575
0
Options
None
Flags

RB 1
RB 0
URG
ACK
PSH
RST
SYN
FIN



    X
    X



DATA
17030100183DF4347F80

798FA28149D9845FF5E2




.....=.4..

y...I.._..
============================================================================
SID
CID
TimeStamp
Signature
Sig ID
1
1956285
2004-06-28
07:43:06
WEB-MISC PCT
Client_Hello
overflow
attempt
2515
Sensor Hostname
Sensor Interface
takahe.itss.auckland.ac.nz
1
IP
Source
Address
Dest
Address
Ver
Hdr
Len
TOS
length
ID
flags
offset
TTL
chksum
203.173.192.109
130.216.191.87
4
5
32
477
186
2
0
121
12534
Resolved Source
Resolved Dest
p109-apx1.akl.ihug.co.nz 
webmail2.ec.auckland.ac.nz 
TCP
Source
Port
Dest
Port
Seq
Ack
Offset
Reserved
Flags
Window
Checksum
Urgent
Ptr
1042
443
3415029036
3243461383
5
0
24
7334
63308
0
Options
None
Flags

RB 1
RB 0
URG
ACK
PSH
RST
SYN
FIN



    X
    X



DATA
17030101B09ACCA827B1

F08FA07FF4AEFED9F585

007D933E12DEB9003E18

9E88CAEADD6814F1675B

CB48950E3E1CFEC4ED59

0BAE478E86748029BD04

C79BB8269AB8E4AEAF8A

2A23D2D8EEC26E99A8D9

6EA2FA399CE9A9883A3E

DE8FAF17A0446510FF3D

74C9F0293B77B012BAF0

CEA916732A531114E6E4

1B9559880B88CC8442C8

1FD2079D53A8134ACC2F

E242F63D210CAD0109D5

7D943FB8CAACD34E7D89

6A68D17CE61899C7AC84

5AB9217004D6D84147D8

F301D85D2139BBA76CDA

C11E69F0153C6ABCB5B5

E3DB92350FD607DBFDF7

57D0D16CF335B09C9607

14F2AB6E95762F69D9D6

EEC6FAF8A377BC786442

355750F450EC7B0288AE

B66B02B4062BB9A9473B

512A0DC6CBE39E659097

02A21A8F7E0B24B6FDA6

F80823BA32FD3422C6C8

E74C217A14816BB033B4

D749FA105FF78690F47B

1B58B74F024A91950D21

80C235A0C6FFF6D44EEF

768CC0E1773D78035A97

C69786556666493C421A

CF455C51096B9D6A53BB

3CEBE27A57084113A96D

3DD91ABC3CCBBDC9DB07

ACFF7D8191D6DE21F822

EF08AD8BB77E36CBB8CD

DFAFED7472B6E3FE824A

CD09413A6685851A7148

5C70631342537BA1CD27



........'.

..........

.}.>....>.

.....h..g[

.H..>....Y

..G..t.)..

...&......

*#....n...

n..9....:>

.....De..=

t..);w....

...s*S....

..Y.....B.

....S..J./

.B.=!.....

}.?....N}.

jh.|......

Z.!p...AG.

...]!9..l.

..i..<j...

...5......

W..l.5....

...n.v/i..

.....w.xdB

5WP.P.{...

.k...+..G;

Q*.....e..

....~.$...

..#.2.4"..

.L!z..k.3.

.I.._....{

.X.O.J...!

..5.....N.

v...w=x.Z.

...UffI<B.

.E\Q.k.jS.

<..zW.A..m

=...<.....

..}....!."

.....~6...

...tr....J

..A:f...qH

\pc.BS{..'






More information about the Snort-sigs mailing list