[Snort-sigs] False positive sid:498
mjp-snortsigs at ...1399...
Wed Mar 23 21:05:00 EST 2005
On Wed, 23 Mar 2005, Frank Knobbe wrote:
> On Wed, 2005-03-23 at 13:19 -0600, Mike Pomraning wrote:
>> No more of those pesky security mailing lists tripping sigs via email and web
> Another solution is even simpler. Ignore the IDS rules download station
> from tripping Snort rules. Feel free to pass or suppress or bpf or
> however else you feel comfortable to suppress those warnings.
> Changing all rules to !25 is hardly a solution. :)
No argument here! However, the OP's problem was not sid 498 tripping on IDS
updates either fetched (or pushed out) from a known location.
Instead, the sig simply hit on the body of a BugTraq email (the Vade 79 OS X
local root), from IPs unknown to IPs unknown, in SMTP transit. For all we
know of the capture in question, the OP caught himself forwarding the email
to a colleague. I hate it when that happens. :-)
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security
More information about the Snort-sigs