[Snort-sigs] False Positives with SIDs 2505 and 2506?

adam.w.hogan adam.w.hogan at ...1605...
Mon May 3 07:35:03 EDT 2004

Yeah, I'm seeing false positives on both of those.  A lot more on 2506
than 2505.  I have not been able to figure out what the cause is yet
though - looks like normal ssl traffic at first glance.  But my
network's pretty big and messy, so we see false positives on just about

-Adam Hogan.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Timothy
Sent: Wednesday, April 28, 2004 4:30 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] False Positives with SIDs 2505 and 2506?

Is anyone out there seeing false positives with rules 2505 and 2506
(WEB-MISC invalid SSLv3 data version and timestamp attempts,
respectively)?  I seem to be racking up a good number of hits that just
don't fit the M.O. of attack traffic (e.g., large number of local,
source hosts, very low level of events coming from each, all of the
traffic aimed at the same few local web servers).  Many of the source
hosts appear to be Macs - which somewhat adds to my suspicions.




Timothy Wright, CISSP
Information Security
Office of Information Technologies
University of Notre Dame

This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net


Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.


More information about the Snort-sigs mailing list