[Snort-sigs] False positive on 116:58

Jon Hart jhart at ...288...
Thu Oct 19 13:53:08 EDT 2006


On Sun, Oct 15, 2006 at 08:15:43PM +0100, Servelocity (Systems Team) wrote:
> FALSE POSITIVE
> 
> snort-sigs at lists.sourceforge.net
> 
> #0-(2-44)
> <http://85.8.128.224/base/base_qry_alert.php?submit=%230-%282-44%29&sort_order=>
> 	[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=116:58>]
> (snort_decoder): Experimental Tcp Options found 	2006-10-15 17:12:56
> 213.200.77.145
> <http://85.8.128.224/base/base_stat_ipaddr.php?ip=213.200.77.145&netmask=32>:4985
> 	213.200.77.146
> <http://85.8.128.224/base/base_stat_ipaddr.php?ip=213.200.77.146&netmask32>:179
> 	TCP
> 
> 
> http://www.snort.org/pub-bin/sigs.cgi?sid=116:58
> 
> If we block src ip on this it kills the bgp sessions to our providers
> (port 179) for example the one on 213.200.77.145/30 (Tiscali)
> 
> Where is this sig in /etc/snort/rules ?? or in the source ??

This really isn't a false positive per-se, but rather a rule that you
need to tune according to your setup (with thresholds, etc).  A false
positive is an event that isn't actually what the alerting
sig/preprocessor was designed to detect.  In this case, the traffic you
are seeing is exactly what the sig was designed to detect.

-jon




More information about the Snort-sigs mailing list