[Snort-sigs] False positive - sid:2303

Bamm Visscher bamm.visscher at ...2420...
Fri Mar 18 13:45:41 EST 2005


Look for tagged packets from the same src/dst ips and ports.

Bammkkkk



On Fri, 18 Mar 2005 15:29:16 -0600, Paul Schmehl <pauls at ...1311...> wrote:
> --On Friday, March 18, 2005 03:11:33 PM -0600 SRH-Lists
> <giermo at ...1992...> wrote:
> >
> > Is it possible that the offending content is in the stream and not in
> > the packet you are looking at?
> >
> Probably so.  Unfortunately, we only have a 160GB drive right now, so I
> can't even keep 24 hours of data.  Those stream packets are gone.
> >
> > If you are getting these alot, try running tcpdump or ethereal or snort
> > in packet logging mode (or sguil with log_packets) and take a look at
> > the whole stream.  I bet the content is in there someplace.
> >
> We're running sguil.  That's where I'm getting all this info.
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-sigs mailing list