[Snort-sigs] False positive on rule 10158

Matthew Watchinski mwatchinski at ...435...
Thu Jun 7 11:31:16 EDT 2007


This rule will be deleted.  Use the SO rule, gid 3,sid 10161

Federico Petronio wrote:
> Hello,
> 
> I would like to report this false positive on rule 10158.
> 
>   Version of Snort
>     snort_inline 2.3.0
> 
>   Rule SID and revision
>     10158. rev 3.
> 
>   Command line options when starting snort
>     snort -c snort.conf.inline -Q -A none -q
> 
>   The operating system being used
>     Debian Linux 3.1
> 
>   A supporting packet capture that illustrates the false positive case:
> 
> length = 140
> 000 : 00 00 00 88 FF 53 4D 42 2F 00 00 00 00 18 07 C8   .....SMB/.......
> 010 : 00 00 00 00 00 00 00 00 00 00 00 00 03 08 FF FE   ................
> 020 : 02 20 40 0B 0E FF 00 DE DE 03 40 00 00 00 00 FF   . @....... at ...957...
> 030 : FF FF FF 08 00 48 00 00 00 48 00 40 00 00 00 00   .....H...H. at ...552...
> 040 : 00 49 00 EE 05 00 0B 03 10 00 00 00 48 00 00 00   .I..........H...
> 050 : 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00   ................
> 060 : 00 00 01 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47   .....O2Kp....xZG
> 070 : BF 6E E1 88 03 00 00 00 04 5D 88 8A EB 1C C9 11   .n.......]......
> 080 : 9F E8 08 00 2B 10 48 60 02 00 00 00               ....+.H`....
> 
>   Contact email (we may have a need for more information)
>     petrus at ...2312...
> 
>   Some text that clearly explains why you think this is a false positive
> case
>     The rule intercepted normal traffic between two Windows servers of
> the organization
> 
> 





More information about the Snort-sigs mailing list