[Snort-sigs] False positive generated on SID 2329

Jonathon Leszczynski jonalesz at ...2309...
Mon Mar 22 06:25:03 EST 2004


Here is a sample of what I reported before as a false positive
 
  Meta ID #TimeTriggered Signature1 - 1852004-03-12
23:48:06url[bugtraq][cve][icat][snort] MS-SQL probe response overflow
attemptSensornameinterfacefilterWSVM1006:DeviceNPF_{96D8CB44-417E-4CE2-972C-2A38F26C9561}DeviceNPF_{96D8CB44-417E-4CE2-972C-2A38F26C9561}
none Alert
Group  none IP source addr  dest addr  VerHdr
LenTOSlengthIDflagsoffsetTTLchksum172.20.1.252141.214.154.964508772170012618974FQDNSource
NameDest.
Names-umhs-dns3.med.umich.eduWSVM1006.umhs.med.umich.eduOptions    none
UDPsource portdest portlength53102767Payload  length = 59000 : 05 C4 81
80 00 01 00 01 00 00 00 00 06 75 6D 68   .............umh010 : 73 30 31
04 75 6D 68 73 03 6D 65 64 05 75 6D 69   s01.umhs.med.umi020 : 63 68 03
65 64 75 00 00 01 00 01 C0 0C 00 01 00   ch.edu..........030 : 01 00 00
0D 3B 00 04 AC 14 5C BC                  ....;....\.

>>> Jonathon Leszczynski 9:16:22 AM 09-Mar-04 >>>

 Jonathon Leszczynski
MCIT 734-764-5725
JonaLesz at ...2309...
# This is a template for submitting snort signature descriptions to#
the snort.org website## Ensure that your descriptions are your own# and
not the work of others.  References in the rules themselves# should be
used for linking to other's work. ## If you are unsure of some part of a
rule, use that as a commentary# and someone else perhaps will be able to
fix it.# # $Id$##  Rule:  --Sid: 2329 --Summary: (as already
written)--Impact: Serious. (as already written)--Detailed Information:
(as already written)--Affected Systems: (as already written)--Attack
Scenarios: (as already written)--Ease of Attack: (as already
written)--False Positives:  When using ACID, and when ACID does it's
reverse lookups (easier to replicate when many reverse lookups are
occuring.), the returned information appears to SNORT to be this kind of
attack.  When the network is busy, I have been able to replicate this at
will.  The source IP will show up as coming from UDP port 53 from the
DNS in making the "attack".--False Negatives: (as already
written)--Corrective Action: (as already written)--Contributors: (as
already written) plus Jon Leszczynski-- Additional References: (as
already written)Jonathon Leszczynski
MCIT 734-764-5725
JonaLesz at ...2309...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040322/b4374209/attachment.html>


More information about the Snort-sigs mailing list