[Snort-sigs] False positive sid:498

Mike Pomraning mjp-snortsigs at ...1399...
Wed Mar 23 21:05:00 EST 2005

On Wed, 23 Mar 2005, Frank Knobbe wrote:

> On Wed, 2005-03-23 at 13:19 -0600, Mike Pomraning wrote:
>> No more of those pesky security mailing lists tripping sigs via email and web
>> archives!
> Another solution is even simpler. Ignore the IDS rules download station
> from tripping Snort rules. Feel free to pass or suppress or bpf or
> however else you feel comfortable to suppress those warnings.
> Changing all rules to !25 is hardly a solution. :)

No argument here!  However, the OP's problem was not sid 498 tripping on IDS
updates either fetched (or pushed out) from a known location.

Instead, the sig simply hit on the body of a BugTraq email (the Vade 79 OS X
local root), from IPs unknown to IPs unknown, in SMTP transit.  For all we
know of the capture in question, the OP caught himself forwarding the email
to a colleague.  I hate it when that happens.  :-)

Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

More information about the Snort-sigs mailing list