[Snort-sigs] False positive on rule 10012

Federico Petronio petrus at ...2312...
Thu Jun 7 10:30:11 EDT 2007


Hello,

I would like to report this false positive on rule 10012.

  Version of Snort
    snort_inline 2.3.0

  Rule SID and revision
    10012. rev 1.

  Command line options when starting snort
    snort -c snort.conf.inline -Q -A none -q

  The operating system being used
    Debian Linux 3.1

  A supporting packet capture that illustrates the false positive case:

0000000: 4163 6569 6b35 6f35 566f 3468 4350 314e  Aceik5o5Vo4hCP1N
0000010: 5431 7552 4742 344b 5359 4768 4d51 4141  T1uRGB4KSYGhMQAA
0000020: 4141 3067 4141 4146 7545 4141 4147 4e4f  AA0gAAAFuEAAAGNO
0000030: 4141 3d3d 0d0a 4672 6f6d 3a20 2278 7878  AA==..From: "xxx
0000040: 7878 7878 7878 7878 7822 203c 7878 7878  xxxxxxxxx" <xxxx
0000050: 7878 7878 7878 7840 7878 7878 7878 3e0d  xxxxxxx at ...3295...>.
0000060: 0a54 6f3a 2022 7878 7878 7878 7878 7878  .To: "xxxxxxxxxx
0000070: 7878 7878 7878 7878 7822 203c 7878 7878  xxxxxxxxx" <xxxx
0000080: 7878 7840 7878 7878 7878 7878 783e 0d0a  xxx at ...3296...>..
0000090: 0d0a 5468 6973 2069 7320 6120 6d75 6c74  ..This is a mult
00000a0: 692d 7061 7274 206d 6573 7361 6765 2069  i-part message i
00000b0: 6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a  n MIME format...
00000c0: 0d0a 2d2d 2d2d 2d2d 5f3d 5f4e 6578 7450  ..------_=_NextP
00000d0: 6172 745f 3030 315f 3031 4337 4132 3935  art_001_01C7A295
00000e0: 2e33 4538 4341 3942 430d 0a43 6f6e 7465  .3E8CA9BC..Conte
00000f0: 6e74 2d54 7970 653a 2074 6578 742f 706c  nt-Type: text/pl
0000100: 6169 6e3b 0d0a 0963 6861 7273 6574 3d22  ain;...charset="
0000110: 6973 6f2d 3838 3539 2d31 220d 0a43 6f6e  iso-8859-1"..Con
0000120: 7465 6e74 2d54 7261 6e73 6665 722d 456e  tent-Transfer-En
0000130: 636f 6469 6e67 3a20 7175 6f74 6564 2d70  coding: quoted-p
0000140: 7269 6e74 6162 6c65 0d0a 0d0a 0d0a 2d2d  rintable......--
0000150: 2d2d 2d2d 5f3d 5f4e 6578 7450 6172 745f  ----_=_NextPart_
0000160: 3030 315f 3031 4337 4132 3935 2e33 4538  001_01C7A295.3E8
0000170: 4341 3942 430d 0a43 6f6e 7465 6e74 2d54  CA9BC..Content-T
0000180: 7970 653a 2074 6578 742f 6874 6d6c 3b0d  ype: text/html;.
0000190: 0a09 6368 6172 7365 743d 2269 736f 2d38  ..charset="iso-8
00001a0: 3835 392d 3122 0d0a 436f 6e74 656e 742d  859-1"..Content-
00001b0: 5472 616e 7366 6572 2d45 6e63 6f64 696e  Transfer-Encodin
00001c0: 673a 2071 756f 7465 642d 7072 696e 7461  g: quoted-printa
00001d0: 626c 650d 0a0d 0a3c 4d45 5441 2048 5454  ble....<META HTT
00001e0: 502d 4551 5549 563d 3344 2243 6f6e 7465  P-EQUIV=3D"Conte
00001f0: 6e74 2d54 7970 6522 2043 4f4e 5445 4e54  nt-Type" CONTENT
0000200: 3d33 4422 7465 7874 2f68 746d 6c3b 203d  =3D"text/html; =
0000210: 0d0a 6368 6172 7365 743d 3344 6973 6f2d  ..charset=3Diso-
0000220: 3838 3539 2d31 223e 0d0a 0d0a 2d2d 2d2d  8859-1">....----
0000230: 2d2d 5f3d 5f4e 6578 7450 6172 745f 3030  --_=_NextPart_00
0000240: 315f 3031 4337 4132 3935 2e33 4538 4341  1_01C7A295.3E8CA
0000250: 3942 430d 0a63 6f6e 7465 6e74 2d63 6c61  9BC..content-cla
0000260: 7373 3a20 7572 6e3a 636f 6e74 656e 742d  ss: urn:content-
0000270: 636c 6173 7365 733a 6361 6c65 6e64 6172  classes:calendar
0000280: 6d65 7373 6167 650d 0a43 6f6e 7465 6e74  message..Content
0000290: 2d54 7970 653a 2074 6578 742f 6361 6c65  -Type: text/cale
00002a0: 6e64 6172 3b0d 0a09 6d65 7468 6f64 3d52  ndar;...method=R
00002b0: 4550 4c59 3b0d 0a09 6e61 6d65 3d22 6d65  EPLY;...name="me
00002c0: 6574 696e 672e 6963 7322 0d0a 436f 6e74  eting.ics"..Cont
00002d0: 656e 742d 5472 616e 7366 6572 2d45 6e63  ent-Transfer-Enc
00002e0: 6f64 696e 673a 2038 6269 740d 0a0d 0a42  oding: 8bit....B
00002f0: 4547 494e 3a56 4341 4c45 4e44 4152 0d0a  EGIN:VCALENDAR..
0000300: 4d45 5448 4f44 3a52 4550 4c59 0d0a 5052  METHOD:REPLY..PR
0000310: 4f44 4944 3a4d 6963 726f 736f 6674 2043  ODID:Microsoft C
0000320: 444f 2066 6f72 204d 6963 726f 736f 6674  DO for Microsoft
0000330: 2045 7863 6861 6e67 650d 0a56 4552 5349   Exchange..VERSI
0000340: 4f4e 3a32 2e30 0d0a 4245 4749 4e3a 5654  ON:2.0..BEGIN:VT
0000350: 494d 455a 4f4e 450d 0a54 5a49 443a 5361  IMEZONE..TZID:Sa
0000360: 7261 6a65 766f 5c2c 2053 6b6f 706a 655c  rajevo\, Skopje\
0000370: 2c20 536f 6669 6a61 5c2c 2056 696c 6e69  , Sofija\, Vilni
0000380: 7573 5c2c 2057 6172 7361 775c 2c20 5a61  us\, Warsaw\, Za
0000390: 6772 6562 0d0a 582d 4d49 4352 4f53 4f46  greb..X-MICROSOF
00003a0: 542d 4344 4f2d 545a 4944 3a32 0d0a 4245  T-CDO-TZID:2..BE
00003b0: 4749 4e3a 5354 414e 4441 5244 0d0a 4454  GIN:STANDARD..DT
00003c0: 5354 4152 543a 3136 3031 3031 3031 5430  START:16010101T0
00003d0: 3330 3030 300d 0a54 5a4f 4646 5345 5446  30000..TZOFFSETF
00003e0: 524f 4d3a 2b30 3230 300d 0a54 5a4f 4646  ROM:+0200..TZOFF
00003f0: 5345 5454 4f3a 2b30 3130 300d 0a52 5255  SETTO:+0100..RRU
0000400: 4c45 3a46 5245 513d 5945 4152 4c59 3b57  LE:FREQ=YEARLY;W
0000410: 4b53 543d 4d4f 3b49 4e54 4552 5641 4c3d  KST=MO;INTERVAL=
0000420: 313b 4259 4d4f 4e54 483d 3130 3b42 5944  1;BYMONTH=10;BYD
0000430: 4159 3d2d 3153 550d 0a45 4e44 3a53 5441  AY=-1SU..END:STA
0000440: 4e44 4152 440d 0a42 4547 494e 3a44 4159  NDARD..BEGIN:DAY
0000450: 4c49 4748 540d 0a44 5453 5441 5254 3a31  LIGHT..DTSTART:1
0000460: 3630 3130 3130 3154 3032 3030 3030 0d0a  6010101T020000..
0000470: 545a 4f46 4653 4554 4652 4f4d 3a2b 3031  TZOFFSETFROM:+01
0000480: 3030 0d0a 545a 4f46 4653 4554 544f 3a2b  00..TZOFFSETTO:+
0000490: 3032 3030 0d0a 5252 554c 453a 4652 4551  0200..RRULE:FREQ
00004a0: 3d59 4541 524c 593b 574b 5354 3d4d 4f3b  =YEARLY;WKST=MO;
00004b0: 494e 5445 5256 414c 3d31 3b42 594d 4f4e  INTERVAL=1;BYMON
00004c0: 5448 3d33 3b42 5944 4159 3d2d 3153 550d  TH=3;BYDAY=-1SU.
00004d0: 0a45 4e44 3a44 4159 4c49 4748 540d 0a45  .END:DAYLIGHT..E
00004e0: 4e44 3a56 5449 4d45 5a4f 4e45 0d0a 4245  ND:VTIMEZONE..BE
00004f0: 4749 4e3a 5645 5645 4e54 0d0a 4454 5354  GIN:VEVENT..DTST
0000500: 414d 503a 3230 3037 3035 3330 5430 3832  AMP:20070530T082
0000510: 3230 335a 0d0a 4454 5354 4152 543b 545a  203Z..DTSTART;TZ
0000520: 4944 3d22 5361 7261 6a65 766f 2c20 536b  ID="Sarajevo, Sk
0000530: 6f70 6a65 2c20 536f 6669 6a61 2c20 5669  opje, Sofija, Vi
0000540: 6c6e 6975 732c 2057 6172 7361 772c 205a  lnius, Warsaw, Z
0000550: 6167 7265 6222 3a32 0d0a                 agreb":2..

  Contact email
    petrus at ...2312...

  Some text that clearly explains why you think this is a false positive
case
    The rule intercepted traffic between two nodes of MS Exchange of the
organization

-- 
                                        Federico Petronio
                                        petrus at ...2312...





More information about the Snort-sigs mailing list