[Snort-sigs] False Positives with SIDs 2505 and 2506?

Brian bmc at ...95...
Mon May 10 14:35:06 EDT 2004


On Thu, May 06, 2004 at 02:41:34PM +1000, Chris Keladis wrote:
> SID 2505 is falsely firing due to a bug in Snort. I've sent a pcap to the 
> Snort developers and there should be a solution soon.

Well, sorta.  This is more of a feature that wasn't fully thought out.
In some cases, automatic recursion is not desired.  I'm coming up with
text to put in the manual that explains what this bug is and how to
work around it.

> SID 2506 however is a bit weird (for me anyway). It alerts if the 
> client_hello.timestamp bytes are > 2147483647 (a 32bit signed int).

2506 is now "deleted"  Some browsers are dumb and send invalid
timestamps.  As such, these trigger on normal traffic.  So... they are
now disabled.

Brian




More information about the Snort-sigs mailing list