[Snort-sigs] Re: SID 1432 false positive to report

MAYFIELD, MARK mark.mayfield at ...2502...
Wed May 19 07:14:16 EDT 2004


This same false positive occurs when Apple's iTunes application starts a streaming connection.  Example below:


[**] P2P GNUTella GET [**]
05/19-09:05:27.654356 0:1:96:BD:EE:A0 -> 0:4:27:46:46:F3 type:0x800 len:0x108
204.169.249.203:60432 -> 69.28.156.64:12535 TCP TTL:62 TOS:0x0 ID:60073 IpLen:20 DgmLen:250 DF
***AP*** Seq: 0xA382DCF4  Ack: 0xA25803A0  Win: 0x8040  TcpLen: 32
TCP Options (3) => NOP NOP TS: 849434044 938951541 
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 61 63  Accept: */*..Cac
68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63  he-Control: no-c
61 63 68 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74  ache..User-Agent
3A 20 69 54 75 6E 65 73 2F 34 2E 35 20 28 4D 61  : iTunes/4.5 (Ma
63 69 6E 74 6F 73 68 3B 20 4E 3B 20 50 50 43 29  cintosh; N; PPC)
0D 0A 58 2D 41 75 64 69 6F 63 61 73 74 2D 55 64  ..X-Audiocast-Ud
70 70 6F 72 74 3A 20 35 39 30 30 34 0D 0A 49 63  pport: 59004..Ic
79 2D 4D 65 74 61 64 61 74 61 3A 20 31 0D 0A 43  y-Metadata: 1..C
6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65  onnection: close
0D 0A 48 6F 73 74 3A 20 72 61 64 69 6F 73 74 2E  ..Host: radiost.
73 63 2E 6C 6C 6E 77 64 2E 6E 65 74 3A 31 32 35  sc.llnwd.net:125
33 35 0D 0A 0D 0A                                35....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Mark Mayfield, CCNP, CCDP
Roseville Area Schools
District Network Manager
(651) 604-1476
mark.mayfield at ...2503...


Original Message:

--__--__--

Message: 2
From: Ryan Barrett <Ryan.Barrett at ...2488...>
To: "'snort-sigs at lists.sourceforge.net'"
	 <snort-sigs at lists.sourceforge.net>
Date: Fri, 14 May 2004 15:22:38 -0700
Subject: [Snort-sigs] SID 1432 false positive to report

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C43A01.F6D29270
Content-Type: text/plain

I noticed a false positive for this rule, and I wanted to send it ya'll. Its
for streaming music requests for Shoutcast, in which the client issues an
HTTP GET to a non-port 80 destination port, which then triggers this sig.
 
Rule:  
P2P GNUTella GET --
Sid:
1432
--
Summary:
 
--
Impact:
 
--
Detailed Information:
 
--
Affected Systems:
 
--
Attack Scenarios:
 
--
Ease of Attack:
 
--
False Positives:
Shoutcast streaming music service.
--
False Negatives:
 
--
Corrective Action:
 
--
Contributors:
 
-- 
Additional References:
 
000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A   GET / HTTP/1.0..
010 : 49 63 79 2D 4D 65 74 61 44 61 74 61 3A 31 0D 0A   Icy-MetaData:1..
020 : 55 73 65 72 2D 41 67 65 6E 74 3A 53 68 6F 75 74   User-Agent:Shout
030 : 63 61 73 74 20 53 65 72 76 65 72 20 31 2E 39 2E   cast Server 1.9.
040 : 32 0D 0A 0D 0A                                    2....
 
 
Ryan Barrett, CISSP
Sr. Security Engineer
____________________________________________
WebEx Communications, Inc.  p:408.435.7570
307 West Tasman Drive       f:408.435.7004
San Jose, CA 95134





More information about the Snort-sigs mailing list