[Snort-sigs] False positive sid:498

Paul Schmehl pauls at ...1311...
Thu Mar 24 08:32:01 EST 2005

--On Wednesday, March 23, 2005 11:37:41 PM -0500 Mike Pomraning 
<mjp-snortsigs at ...1399...> wrote:
>> Changing all rules to !25 is hardly a solution. :)
> No argument here!  However, the OP's problem was not sid 498 tripping on
> updates either fetched (or pushed out) from a known location.
> Instead, the sig simply hit on the body of a BugTraq email (the Vade 79
> OS X
> local root), from IPs unknown to IPs unknown, in SMTP transit.  For all we
> know of the capture in question, the OP caught himself forwarding the
> email
> to a colleague.  I hate it when that happens.  :-)
Since I'm the OP, how about if I respond?  :-)

This might come as a shock to some, but at a university the security folks 
are not the *only* people who read lists like Bugtraq or (horror of 
horrors) go to websites that explain exploits, including code that sets off 
alerts in snort.  In fact, at a university, we see *tons* of false 
positives because - well - we have literally tens of different OSes (and 
versions of OSes), god knows how many unknown "rogue" services running 
around and lots of intelligent *and* inquisitive folks who know a lot about 
computers, networking and tcp/ip.  (That's why working in security at a 
university is such an unbelievable blast!  I absolutely *love* my job!)

The *only* reason I report these fps here is because I *care* about the 
community and want to provide information to the developers that *might* be 
useful in improving things  (and because *my* dataset is probably larger 
than most folks, so I get more examples of "oddball" stuff.)

I *personally* could care less if the rules get "fixed" or not.  I'm quite 
capable of figuring out how to suppress and/or ignore things that don't 
interest me or don't represent a threat to our environment.  I'm even 
capable of writing my *own* rules and ignoring the snort rules completely. 
{{Gasp!!}}  My purpose in posting these fps is to generate *useful* 
conversation that *might* lead to rule improvement, *not* to generate 
comments about "polluting" all rules or things being impossible to do.  In 
fact, I'd even venture to say that just the *discussion* about why you can 
or can't do something is worthwhile to the readers of this list.  We *all* 
learn new things when people articulate their understanding of things like 
flowbits (as Mike did in the post previous to this one) or thresholding, 

If improving the ruleset *isn't* the purpose of this list, then tell me now 
and I'll take my ball and go home.

Now, one final word for the inevitable folks who want to email me 
privately, concerned about my "anger", I'm not at all angry.  I'm simply 
arguing for elevating the discussion here to something other than 
*assumptions* about a poster's intelligence or level of understanding of 
snort.  (And NO, this is not a dig at Mike or anyone else.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list