[Snort-sigs] Possible FP for rules 2329

Joel Esler eslerj at ...2420...
Thu Jun 2 08:40:25 EDT 2005


Matt,

Does the RNA ask you to identify these things?  I have no hands on
with an RNA, but would like to know..

J

On 6/2/05, Matthew Watchinski <mwatchinski at ...435...> wrote:
> The rule doc for the rule will be updated shortly with the following
> information.
> 
> Since this rule cannot be constrained using ports and the connection
> state for MSDAC is not tracked, false positive events may occur under
> normal circumstances. The $SQL_SERVERS variable in snort.conf should be
> configured correctly to eliminate this behavior.
> 
> Cheers,
> -matt
> 
> Guillaume Arcas wrote:
> 
> >Hi.
> >
> >I get false positive alerts with SQL rule 2329 that catch Windows XP VPN Client
> >traffic (udp/4500 for both src and dest.) as "MS-SQL probe response overflow
> >attempt".
> >
> >I think that it is due to the rule not having any port for destination.
> >
> >Best regards,
> >
> >
> >Guillaume Arcas
> >
> >-------------------------------------------------------
> >"L'amour et l'imagination aveuglent aisément l'esprit."
> >M. de Cervantès
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by Yahoo.
> >Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> >Search APIs Find out how you can build Yahoo! directly into your own
> >Applications - visit http://developer.yahoo.net/?fr=fad-ysdn-ostg-q22005
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into your own
> Applications - visit http://developer.yahoo.net/?froffad-ysdn-ostg-q22005
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 


-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas




More information about the Snort-sigs mailing list