[Snort-sigs] False positive on rule 10158

Federico Petronio petrus at ...2312...
Thu Jun 7 10:29:42 EDT 2007


Hello,

I would like to report this false positive on rule 10158.

  Version of Snort
    snort_inline 2.3.0

  Rule SID and revision
    10158. rev 3.

  Command line options when starting snort
    snort -c snort.conf.inline -Q -A none -q

  The operating system being used
    Debian Linux 3.1

  A supporting packet capture that illustrates the false positive case:

length = 140
000 : 00 00 00 88 FF 53 4D 42 2F 00 00 00 00 18 07 C8   .....SMB/.......
010 : 00 00 00 00 00 00 00 00 00 00 00 00 03 08 FF FE   ................
020 : 02 20 40 0B 0E FF 00 DE DE 03 40 00 00 00 00 FF   . @....... at ...957...
030 : FF FF FF 08 00 48 00 00 00 48 00 40 00 00 00 00   .....H...H. at ...552...
040 : 00 49 00 EE 05 00 0B 03 10 00 00 00 48 00 00 00   .I..........H...
050 : 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00   ................
060 : 00 00 01 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47   .....O2Kp....xZG
070 : BF 6E E1 88 03 00 00 00 04 5D 88 8A EB 1C C9 11   .n.......]......
080 : 9F E8 08 00 2B 10 48 60 02 00 00 00               ....+.H`....

  Contact email (we may have a need for more information)
    petrus at ...2312...

  Some text that clearly explains why you think this is a false positive
case
    The rule intercepted normal traffic between two Windows servers of
the organization


-- 
                                        Federico Petronio
                                        petrus at ...2312...





More information about the Snort-sigs mailing list