[Snort-sigs] False positive - sid:2303

Paul Schmehl pauls at ...1311...
Fri Mar 18 14:32:17 EST 2005


I did.  They were there.  They didn't contain the strings.

--On Friday, March 18, 2005 03:44:55 PM -0600 Bamm Visscher 
<bamm.visscher at ...2420...> wrote:

> Look for tagged packets from the same src/dst ips and ports.
>
> Bammkkkk
>
>
>
> On Fri, 18 Mar 2005 15:29:16 -0600, Paul Schmehl <pauls at ...1311...>
> wrote:
>> --On Friday, March 18, 2005 03:11:33 PM -0600 SRH-Lists
>> <giermo at ...1992...> wrote:
>> >
>> > Is it possible that the offending content is in the stream and not in
>> > the packet you are looking at?
>> >
>> Probably so.  Unfortunately, we only have a 160GB drive right now, so I
>> can't even keep 24 hours of data.  Those stream packets are gone.
>> >
>> > If you are getting these alot, try running tcpdump or ethereal or snort
>> > in packet logging mode (or sguil with log_packets) and take a look at
>> > the whole stream.  I bet the content is in there someplace.
>> >
>> We're running sguil.  That's where I'm getting all this info.
>>
>> Paul Schmehl (pauls at ...1311...)
>> Adjunct Information Security Officer
>> The University of Texas at Dallas
>> AVIEN Founding Member
>> http://www.utdallas.edu
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs



Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list