[Snort-sigs] False positive on 116:58

Joel Esler joel.esler at ...435...
Thu Oct 19 14:56:31 EDT 2006


Technically, it's not even a rule.  It's a decoder alert.

But, it's probably not good to post the ip/links to your BASE installation to the internet.

Joel


On Thu, Oct 19, 2006 at 10:53:08AM -0700, it looks like Jon Hart sent me:
> On Sun, Oct 15, 2006 at 08:15:43PM +0100, Servelocity (Systems Team) wrote:
> > FALSE POSITIVE
> > 
> > snort-sigs at lists.sourceforge.net
> > 
> > #0-(2-44)
> > <http://85.8.128.224/base/base_qry_alert.php?submit=%230-%282-44%29&sort_order=>
> > 	[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=116:58>]
> > (snort_decoder): Experimental Tcp Options found 	2006-10-15 17:12:56
> > 213.200.77.145
> > <http://85.8.128.224/base/base_stat_ipaddr.php?ip=213.200.77.145&netmask=32>:4985
> > 	213.200.77.146
> > <http://85.8.128.224/base/base_stat_ipaddr.php?ip=213.200.77.146&netmask32>:179
> > 	TCP
> > 
> > 
> > http://www.snort.org/pub-bin/sigs.cgi?sid=116:58
> > 
> > If we block src ip on this it kills the bgp sessions to our providers
> > (port 179) for example the one on 213.200.77.145/30 (Tiscali)
> > 
> > Where is this sig in /etc/snort/rules ?? or in the source ??
> 
> This really isn't a false positive per-se, but rather a rule that you
> need to tune according to your setup (with thresholds, etc).  A false
> positive is an event that isn't actually what the alerting
> sig/preprocessor was designed to detect.  In this case, the traffic you
> are seeing is exactly what the sig was designed to detect.
> 
> -jon
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+




More information about the Snort-sigs mailing list