[Snort-sigs] SID 1432 false positive to report

Ryan Barrett Ryan.Barrett at ...2488...
Mon May 17 07:25:13 EDT 2004


I noticed a false positive for this rule, and I wanted to send it ya'll. Its
for streaming music requests for Shoutcast, in which the client issues an
HTTP GET to a non-port 80 destination port, which then triggers this sig.
 
Rule:  
P2P GNUTella GET --
Sid:
1432
--
Summary:
 
--
Impact:
 
--
Detailed Information:
 
--
Affected Systems:
 
--
Attack Scenarios:
 
--
Ease of Attack:
 
--
False Positives:
Shoutcast streaming music service.
--
False Negatives:
 
--
Corrective Action:
 
--
Contributors:
 
-- 
Additional References:
 
000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A   GET / HTTP/1.0..
010 : 49 63 79 2D 4D 65 74 61 44 61 74 61 3A 31 0D 0A   Icy-MetaData:1..
020 : 55 73 65 72 2D 41 67 65 6E 74 3A 53 68 6F 75 74   User-Agent:Shout
030 : 63 61 73 74 20 53 65 72 76 65 72 20 31 2E 39 2E   cast Server 1.9.
040 : 32 0D 0A 0D 0A                                    2....
 
 
Ryan Barrett, CISSP
Sr. Security Engineer
____________________________________________
WebEx Communications, Inc.  p:408.435.7570
307 West Tasman Drive       f:408.435.7004
San Jose, CA 95134
 
This email may contain information that is Confidential and Proprietary to
WebEx Communications, Inc., and should be disclosed only to WebEx employees
with a need to know. If you are not the intended recipient of this message,
please immediately destroy any and all paper and electronic copies. Please
also notify the sender that this misdirection happened.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040517/be1c853c/attachment.html>


More information about the Snort-sigs mailing list