[Snort-sigs] unsubscribe

Rowland, Krisa W ERDC-ITL-MS Krisa.W.Rowland at ...2112...
Thu Jun 7 14:55:27 EDT 2007


 

-----Original Message-----
From: snort-sigs-bounces at lists.sourceforge.net
[mailto:snort-sigs-bounces at lists.sourceforge.net] On Behalf Of
snort-sigs-request at lists.sourceforge.net
Sent: Thursday, June 07, 2007 11:13 AM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs Digest, Vol 13, Issue 4

Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. False positive on rule 10995 (Federico Petronio)
   2. Re: False positive on rule 10158 (Matthew Watchinski)
   3. Re: False positive on rule 10012 (Federico Petronio)
   4. Re: False positive on rule 10995 (Federico Petronio)


----------------------------------------------------------------------

Message: 1
Date: Thu, 07 Jun 2007 11:30:17 -0300
From: Federico Petronio <petrus at ...2312...>
Subject: [Snort-sigs] False positive on rule 10995
To: Snort Signatures List <snort-sigs at lists.sourceforge.net>
Message-ID: <46681679.4000403 at ...2312...>
Content-Type: text/plain; charset=ISO-8859-1

Hello,

I would like to report this false positive on rule 10995.

  Version of Snort
    snort_inline 2.3.0

  Rule SID and revision
    10995. rev 1.

  Command line options when starting snort
    snort -c snort.conf.inline -Q -A none -q

  The operating system being used
    Debian Linux 3.1

  A supporting packet capture that illustrates the false positive case:

length = 1368
000 : 5A 63 2F 37 62 48 62 48 67 47 70 4E 6E 6A 58 54   Zc/7bHbHgGpNnjXT
010 : 53 72 4D 67 47 59 64 76 37 4E 50 55 46 4E 66 6D   SrMgGYdv7NPUFNfm
020 : 61 52 4C 67 53 67 41 55 42 54 48 38 50 68 66 67   aRLgSgAUBTH8Phfg
030 : 6C 2B 55 46 53 42 2B 67 0D 0A 4E 5A 6A 65 6D 5A   l+UFSB+g..NZjemZ
040 : 51 38 4C 57 67 59 77 41 47 48 69 44 52 4C 4B 41   Q8LWgYwAGHiDRLKA
050 : 70 4D 39 73 51 51 41 44 34 41 52 47 77 6A 61 52   pM9sQQAD4ARGwjaR
060 : 4A 39 56 46 6F 48 30 6D 4A 74 2B 71 45 6F 39 62   J9VFoH0mJt+qEo9b
070 : 55 41 38 59 41 39 42 6F 32 73 76 4D 7A 4D 78 4D   UA8YA9Bo2svMzMxM
080 : 4A 30 44 42 52 73 0D 0A 54 77 41 47 43 55 41 43   J0DBRs..TwAGCUAC
090 : 72 64 5A 37 75 47 33 43 30 42 44 41 54 6C 30 55   rdZ7uG3C0BDATl0U
0a0 : 71 42 37 61 56 35 45 35 41 45 52 71 5A 52 42 2B   qB7aV5E5AERqZRB+
0b0 : 49 71 31 43 6B 6F 45 51 39 4E 45 51 7A 4D 41 51   Iq1CkoEQ9NEQzMAQ
0c0 : 42 53 70 62 69 4A 70 6E 37 73 4C 51 51 41 38 45   BSpbiJpn7sLQQA8E
0d0 : 7A 76 49 4A 0D 0A 51 51 42 45 65 6E 41 50 4B 51   zvIJ..QQBEenAPKQ
0e0 : 51 52 4C 78 51 43 42 49 34 4B 70 6E 65 4A 31 61   QRLxQCBI4KpneJ1a
0f0 : 4B 30 49 51 34 79 63 79 49 35 78 76 46 43 30 42   K0IQ4ycyI5xvFC0B
100 : 53 6F 48 2F 72 42 70 55 59 41 52 43 54 6F 6A 77   SoH/rBpUYARCTojw
110 : 46 2B 35 49 44 79 4A 31 77 54 4C 78 51 42 41 41   F+5IDyJ1wTLxQBAA
120 : 61 45 0D 0A 41 55 34 7A 61 38 58 79 64 41 77 2B   aE..AU4za8XydAw+
130 : 55 41 2F 77 75 79 4D 4A 51 41 69 35 4A 52 73 67   UA/wuyMJQAi5JRsg
140 : 73 51 4A 63 4D 67 52 35 56 4B 67 66 30 4B 46 52   sQJcMgR5VKgf0KFR
150 : 70 68 4A 2F 4A 44 6F 6B 41 51 75 41 43 65 36 61   phJ/JDokAQuACe6a
160 : 79 6E 73 53 64 41 77 70 44 41 6E 68 74 55 51 53   ynsSdAwpDAnhtUQS
170 : 0D 0A 41 7A 67 65 6B 73 4D 45 4C 6D 52 46 5A 68   ..AzgeksMELmRFZh
180 : 4A 50 64 36 45 32 66 79 6D 6F 46 54 42 49 41 67   JPd6E2fymoFTBIAg
190 : 4D 44 5A 59 5A 4D 61 32 4B 77 4E 67 51 67 62 61   MDZYZMa2KwNgQgba
1a0 : 64 4D 48 75 36 43 55 7A 62 4F 73 37 65 68 7A 49   dMHu6CUzbOs7ehzI
1b0 : 42 59 70 77 76 33 34 42 78 6E 76 73 4E 61 0D 0A   BYpwv34BxnvsNa..
1c0 : 41 5A 72 37 76 6C 6E 4D 6F 6C 43 7A 41 74 37 55   AZr7vlnMolCzAt7U
1d0 : 36 4C 50 71 52 72 39 42 6E 36 48 4D 67 46 70 78   6LPqRr9Bn6HMgFpx
1e0 : 32 75 64 35 43 67 4A 63 76 76 67 4C 6E 72 34 36   2ud5CgJcvvgLnr46
1f0 : 43 42 63 35 6A 49 43 49 58 67 41 54 5A 79 54 38   CBc5jICIXgATZyT8
200 : 49 64 6A 46 6B 62 62 48 68 6F 74 61 0D 0A 42 47   IdjFkbbHhota..BG
210 : 4F 33 30 50 49 49 35 75 72 4B 59 38 6F 49 72 72   O30PII5urKY8oIrr
220 : 4B 41 75 6A 61 59 38 75 70 4D 2B 76 76 49 57 69   KAujaY8upM+vvIWi
230 : 65 42 4B 34 41 6C 69 42 5A 56 44 64 4B 49 75 67   eBK4AliBZVDdKIug
240 : 59 41 55 57 6B 78 35 51 52 58 57 55 41 6B 35 43   YAUWkx5QRXWUAk5C
250 : 6B 4A 71 30 50 39 53 5A 39 63 0D 0A 4F 7A 77 72   kJq0P9SZ9c..Ozwr
260 : 41 45 54 47 5A 76 4F 42 4A 43 4A 77 45 59 41 6E   AETGZvOBJCJwEYAn
270 : 42 41 54 4E 71 61 45 61 72 58 75 4B 4A 34 42 6F   BATNqaEarXuKJ4Bo
280 : 64 2F 4A 72 48 71 59 58 4C 53 69 42 69 45 35 59   d/JrHqYXLSiBiE5Y
290 : 47 41 41 50 33 4F 41 32 32 58 74 47 73 31 6F 41   GAAP3OA22XtGs1oA
2a0 : 49 6D 76 2B 2F 6F 72 41 0D 0A 73 6F 46 69 4A 72   Imv+/orA..soFiJr
2b0 : 6A 53 73 61 56 71 54 50 72 70 42 42 41 78 41 45   jSsaVqTPrpBBAxAE
2c0 : 48 4E 49 2B 6E 66 67 52 49 34 46 77 41 4E 30 34   HNI+nfgRI4FwAN04
2d0 : 6C 73 57 43 42 58 50 61 30 41 58 4F 78 44 6E 4A   lsWCBXPa0AXOxDnJ
2e0 : 74 64 57 55 43 77 6F 6E 51 55 79 30 4F 50 38 50   tdWUCwonQUy0OP8P
2f0 : 36 53 47 41 6E 50 0D 0A 4B 69 4D 33 45 6A 74 2B   6SGAnP..KiM3Ejt+
300 : 76 37 41 4E 49 73 41 51 41 41 66 53 69 64 4F 30   v7ANIsAQAAfSidO0
310 : 78 69 73 56 72 51 44 77 65 4E 64 32 42 64 78 5A   xisVrQDweNd2BdxZ
320 : 51 4C 4C 76 35 41 63 4F 67 4B 2F 6F 30 67 30 49   QLLv5AcOgK/o0g0I
330 : 43 4B 45 4E 67 6C 67 79 41 41 66 53 63 41 4D 71   CKENglgyAAfScAMq
340 : 67 39 38 68 0D 0A 72 51 43 49 44 61 47 73 61 4A   g98h..rQCIDaGsaJ
350 : 78 5A 51 4C 44 76 4C 67 33 71 34 68 2F 73 30 67   xZQLDvLg3q4h/s0g
360 : 32 56 7A 79 65 64 46 49 49 69 35 4B 45 41 42 6A   2VzyedFIIi5KEABj
370 : 70 73 6F 79 2B 4C 45 61 30 41 4B 75 53 34 32 50   psoy+LEa0AKuS42P
380 : 73 62 57 6B 43 77 4F 30 36 6F 56 48 6F 33 34 43   sbWkCwO06oVHo34C
390 : 57 63 0D 0A 46 41 51 39 68 5A 55 33 41 45 54 65   Wc..FAQ9hZU3AETe
3a0 : 62 6B 75 43 70 4D 53 68 41 42 50 66 63 42 33 78   bkuCpMShABPfcB3x
3b0 : 78 76 59 4C 57 67 56 42 6A 33 77 61 67 35 46 74   xvYLWgVBj3wag5Ft
3c0 : 53 42 47 4B 62 42 69 30 67 4F 74 53 42 47 4C 6F   SBGKbBi0gOtSBGLo
3d0 : 59 43 63 38 71 6C 51 50 37 5A 46 31 72 55 36 43   YCc8qlQP7ZF1rU6C
3e0 : 0D 0A 69 47 63 47 5A 75 54 38 49 64 76 77 79 63   ..iGcGZuT8Idvwyc
3f0 : 6F 57 5A 41 34 48 6A 6A 79 4C 4B 36 4B 74 78 43   oWZA4HjjyLK6KtxC
400 : 55 35 74 45 51 4F 41 32 70 55 44 2B 52 50 32 36   U5tEQOA2pUD+RP26
410 : 71 42 67 79 55 6F 6C 42 77 43 32 48 4A 43 6F 59   qBgyUolBwC2HJCoY
420 : 5A 6B 44 41 41 46 6A 32 33 6F 63 59 47 73 0D 0A   ZkDAAFj23ocYGs..
430 : 50 6A 72 6D 2F 42 71 30 67 4E 73 50 6A 72 6E 71   Pjrm/Bq0gNsPjrnq
440 : 56 41 2F 6E 44 39 47 70 4E 49 4D 69 54 45 38 43   VA/nD9GpNIMiTE8C
450 : 61 62 72 49 6E 66 74 49 51 51 30 59 77 74 70 44   abrInftIQQ0YwtpD
460 : 67 31 74 61 51 4C 50 38 69 67 42 4F 62 47 50 59   g1taQLP8igBObGPY
470 : 69 6A 51 2F 33 42 41 42 57 41 67 41 0D 0A 43 34   ijQ/3BABWAgA..C4
480 : 4F 6C 64 43 48 53 73 4B 48 75 4D 36 64 42 72 51   OldCHSsKHuM6dBrQ
490 : 42 59 47 49 52 56 4D 5A 6C 61 51 4C 46 6C 7A 56   BYGIRVMZlaQLFlzV
4a0 : 52 45 59 70 50 4D 6E 41 73 44 35 78 46 48 41 45   REYpPMnAsD5xFHAE
4b0 : 42 44 49 36 55 69 67 79 49 6F 4D 41 41 4F 6C 64   BDI6UigyIoMAAOld
4c0 : 59 74 76 33 6B 77 56 73 51 46 0D 0A 59 37 4F 6F   Ytv3kwVsQF..Y7Oo
4d0 : 47 50 68 56 6C 41 74 30 52 67 71 74 74 48 44 5A   GPhVlAt0RgqttHDZ
4e0 : 58 4D 74 4F 46 4C 42 34 44 38 41 6A 57 52 51 77   XMtOFLB4D8AjWRQw
4f0 : 6A 41 45 4E 4F 67 2F 51 52 77 50 54 45 6C 51 4A   jAENOg/QRwPTElQJ
500 : 53 48 54 6C 52 59 64 64 66 79 64 38 45 67 41 69   SHTlRYddfyd8EgAi
510 : 68 53 56 32 49 64 47 61 0D 0A 62 66 71 68 4B 6C   hSV2IdGa..bfqhKl
520 : 57 78 41 4D 71 72 43 37 62 2B 4C 31 74 41 67 50   WxAMqrC7b+L1tAgP
530 : 75 51 74 73 6F 79 67 6A 51 4D 34 75 61 55 35 63   uQtsoygjQM4uaU5c
540 : 6A 4D 45 45 41 30 69 45 7A 66 33 7A 5A 45 6B 42   jMEEA0iEzf3zZEkB
550 : 53 5A 38 6F 42 32 66 53                           SZ8oB2fS

  Contact email
    petrus at ...2312...

  Some text that clearly explains why you think this is a false positive
case
    The rule intercepted trusted traffic between two Windows servers of
the organization

-- 
                                        Federico Petronio
                                        petrus at ...2312...




------------------------------

Message: 2
Date: Thu, 07 Jun 2007 11:31:16 -0400
From: Matthew Watchinski <mwatchinski at ...435...>
Subject: Re: [Snort-sigs] False positive on rule 10158
To: Federico Petronio <petrus at ...2312...>
Cc: Snort Signatures List <snort-sigs at lists.sourceforge.net>
Message-ID: <466824C4.8060006 at ...435...>
Content-Type: text/plain; charset=ISO-8859-1

This rule will be deleted.  Use the SO rule, gid 3,sid 10161

Federico Petronio wrote:
> Hello,
> 
> I would like to report this false positive on rule 10158.
> 
>   Version of Snort
>     snort_inline 2.3.0
> 
>   Rule SID and revision
>     10158. rev 3.
> 
>   Command line options when starting snort
>     snort -c snort.conf.inline -Q -A none -q
> 
>   The operating system being used
>     Debian Linux 3.1
> 
>   A supporting packet capture that illustrates the false positive case:
> 
> length = 140
> 000 : 00 00 00 88 FF 53 4D 42 2F 00 00 00 00 18 07 C8   .....SMB/.......
> 010 : 00 00 00 00 00 00 00 00 00 00 00 00 03 08 FF FE   ................
> 020 : 02 20 40 0B 0E FF 00 DE DE 03 40 00 00 00 00 FF   . @....... at ...3297......
> 030 : FF FF FF 08 00 48 00 00 00 48 00 40 00 00 00 00   .....H...H. at ...3298...2...
> 040 : 00 49 00 EE 05 00 0B 03 10 00 00 00 48 00 00 00   .I..........H...
> 050 : 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00   ................
> 060 : 00 00 01 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47   .....O2Kp....xZG
> 070 : BF 6E E1 88 03 00 00 00 04 5D 88 8A EB 1C C9 11   .n.......]......
> 080 : 9F E8 08 00 2B 10 48 60 02 00 00 00               ....+.H`....
> 
>   Contact email (we may have a need for more information)
>     petrus at ...2312...
> 
>   Some text that clearly explains why you think this is a false positive
> case
>     The rule intercepted normal traffic between two Windows servers of
> the organization
> 
> 




------------------------------

Message: 3
Date: Thu, 07 Jun 2007 13:10:51 -0300
From: Federico Petronio <petrus at ...2312...>
Subject: Re: [Snort-sigs] False positive on rule 10012
To: rmkml <rmkml at ...324...>
Cc: Snort Signatures List <snort-sigs at lists.sourceforge.net>
Message-ID: <46682E0B.6080802 at ...2312...>
Content-Type: text/plain; charset=ISO-8859-1

Hello,

the rule is:

drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Microsoft
Outlook VEVENT non-TZID overflow attempt"; flow:to_server,established;
content:"DTSTART|3B|"; nocase; content:!"value"; within:5; nocase;
content:!"TZID"; within:4; nocase; reference:bugtraq,21931;
reference:cve,2007-0033;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-003.mspx;
classtype:attempted-user; sid:10012; rev:1;)

Regards,

rmkml wrote:
> Hi Federico,
> please send rule sid 10012.
> Regards
> Rmkml
> 
> 
> On Thu, 7 Jun 2007, Federico Petronio wrote:
> 
>> Date: Thu, 07 Jun 2007 11:30:11 -0300
>> From: Federico Petronio <petrus at ...2312...>
>> To: Snort Signatures List <snort-sigs at lists.sourceforge.net>
>> Subject: [Snort-sigs] False positive on rule 10012
>>
>> Hello,
>>
>> I would like to report this false positive on rule 10012.
>>
>>  Version of Snort
>>    snort_inline 2.3.0
>>
>>  Rule SID and revision
>>    10012. rev 1.
>>
>>  Command line options when starting snort
>>    snort -c snort.conf.inline -Q -A none -q
>>
>>  The operating system being used
>>    Debian Linux 3.1
>>
>>  A supporting packet capture that illustrates the false positive case:
>>
>> 0000000: 4163 6569 6b35 6f35 566f 3468 4350 314e  Aceik5o5Vo4hCP1N
>> 0000010: 5431 7552 4742 344b 5359 4768 4d51 4141  T1uRGB4KSYGhMQAA
>> 0000020: 4141 3067 4141 4146 7545 4141 4147 4e4f  AA0gAAAFuEAAAGNO
>> 0000030: 4141 3d3d 0d0a 4672 6f6d 3a20 2278 7878  AA==..From: "xxx
>> 0000040: 7878 7878 7878 7878 7822 203c 7878 7878  xxxxxxxxx" <xxxx
>> 0000050: 7878 7878 7878 7840 7878 7878 7878 3e0d  xxxxxxx at ...3295...>.
>> 0000060: 0a54 6f3a 2022 7878 7878 7878 7878 7878  .To: "xxxxxxxxxx
>> 0000070: 7878 7878 7878 7878 7822 203c 7878 7878  xxxxxxxxx" <xxxx
>> 0000080: 7878 7840 7878 7878 7878 7878 783e 0d0a  xxx at ...3296...>..
>> 0000090: 0d0a 5468 6973 2069 7320 6120 6d75 6c74  ..This is a mult
>> 00000a0: 692d 7061 7274 206d 6573 7361 6765 2069  i-part message i
>> 00000b0: 6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a  n MIME format...
>> 00000c0: 0d0a 2d2d 2d2d 2d2d 5f3d 5f4e 6578 7450  ..------_=_NextP
>> 00000d0: 6172 745f 3030 315f 3031 4337 4132 3935  art_001_01C7A295
>> 00000e0: 2e33 4538 4341 3942 430d 0a43 6f6e 7465  .3E8CA9BC..Conte
>> 00000f0: 6e74 2d54 7970 653a 2074 6578 742f 706c  nt-Type: text/pl
>> 0000100: 6169 6e3b 0d0a 0963 6861 7273 6574 3d22  ain;...charset="
>> 0000110: 6973 6f2d 3838 3539 2d31 220d 0a43 6f6e  iso-8859-1"..Con
>> 0000120: 7465 6e74 2d54 7261 6e73 6665 722d 456e  tent-Transfer-En
>> 0000130: 636f 6469 6e67 3a20 7175 6f74 6564 2d70  coding: quoted-p
>> 0000140: 7269 6e74 6162 6c65 0d0a 0d0a 0d0a 2d2d  rintable......--
>> 0000150: 2d2d 2d2d 5f3d 5f4e 6578 7450 6172 745f  ----_=_NextPart_
>> 0000160: 3030 315f 3031 4337 4132 3935 2e33 4538  001_01C7A295.3E8
>> 0000170: 4341 3942 430d 0a43 6f6e 7465 6e74 2d54  CA9BC..Content-T
>> 0000180: 7970 653a 2074 6578 742f 6874 6d6c 3b0d  ype: text/html;.
>> 0000190: 0a09 6368 6172 7365 743d 2269 736f 2d38  ..charset="iso-8
>> 00001a0: 3835 392d 3122 0d0a 436f 6e74 656e 742d  859-1"..Content-
>> 00001b0: 5472 616e 7366 6572 2d45 6e63 6f64 696e  Transfer-Encodin
>> 00001c0: 673a 2071 756f 7465 642d 7072 696e 7461  g: quoted-printa
>> 00001d0: 626c 650d 0a0d 0a3c 4d45 5441 2048 5454  ble....<META HTT
>> 00001e0: 502d 4551 5549 563d 3344 2243 6f6e 7465  P-EQUIV=3D"Conte
>> 00001f0: 6e74 2d54 7970 6522 2043 4f4e 5445 4e54  nt-Type" CONTENT
>> 0000200: 3d33 4422 7465 7874 2f68 746d 6c3b 203d  =3D"text/html; =
>> 0000210: 0d0a 6368 6172 7365 743d 3344 6973 6f2d  ..charset=3Diso-
>> 0000220: 3838 3539 2d31 223e 0d0a 0d0a 2d2d 2d2d  8859-1">....----
>> 0000230: 2d2d 5f3d 5f4e 6578 7450 6172 745f 3030  --_=_NextPart_00
>> 0000240: 315f 3031 4337 4132 3935 2e33 4538 4341  1_01C7A295.3E8CA
>> 0000250: 3942 430d 0a63 6f6e 7465 6e74 2d63 6c61  9BC..content-cla
>> 0000260: 7373 3a20 7572 6e3a 636f 6e74 656e 742d  ss: urn:content-
>> 0000270: 636c 6173 7365 733a 6361 6c65 6e64 6172  classes:calendar
>> 0000280: 6d65 7373 6167 650d 0a43 6f6e 7465 6e74  message..Content
>> 0000290: 2d54 7970 653a 2074 6578 742f 6361 6c65  -Type: text/cale
>> 00002a0: 6e64 6172 3b0d 0a09 6d65 7468 6f64 3d52  ndar;...method=R
>> 00002b0: 4550 4c59 3b0d 0a09 6e61 6d65 3d22 6d65  EPLY;...name="me
>> 00002c0: 6574 696e 672e 6963 7322 0d0a 436f 6e74  eting.ics"..Cont
>> 00002d0: 656e 742d 5472 616e 7366 6572 2d45 6e63  ent-Transfer-Enc
>> 00002e0: 6f64 696e 673a 2038 6269 740d 0a0d 0a42  oding: 8bit....B
>> 00002f0: 4547 494e 3a56 4341 4c45 4e44 4152 0d0a  EGIN:VCALENDAR..
>> 0000300: 4d45 5448 4f44 3a52 4550 4c59 0d0a 5052  METHOD:REPLY..PR
>> 0000310: 4f44 4944 3a4d 6963 726f 736f 6674 2043  ODID:Microsoft C
>> 0000320: 444f 2066 6f72 204d 6963 726f 736f 6674  DO for Microsoft
>> 0000330: 2045 7863 6861 6e67 650d 0a56 4552 5349   Exchange..VERSI
>> 0000340: 4f4e 3a32 2e30 0d0a 4245 4749 4e3a 5654  ON:2.0..BEGIN:VT
>> 0000350: 494d 455a 4f4e 450d 0a54 5a49 443a 5361  IMEZONE..TZID:Sa
>> 0000360: 7261 6a65 766f 5c2c 2053 6b6f 706a 655c  rajevo\, Skopje\
>> 0000370: 2c20 536f 6669 6a61 5c2c 2056 696c 6e69  , Sofija\, Vilni
>> 0000380: 7573 5c2c 2057 6172 7361 775c 2c20 5a61  us\, Warsaw\, Za
>> 0000390: 6772 6562 0d0a 582d 4d49 4352 4f53 4f46  greb..X-MICROSOF
>> 00003a0: 542d 4344 4f2d 545a 4944 3a32 0d0a 4245  T-CDO-TZID:2..BE
>> 00003b0: 4749 4e3a 5354 414e 4441 5244 0d0a 4454  GIN:STANDARD..DT
>> 00003c0: 5354 4152 543a 3136 3031 3031 3031 5430  START:16010101T0
>> 00003d0: 3330 3030 300d 0a54 5a4f 4646 5345 5446  30000..TZOFFSETF
>> 00003e0: 524f 4d3a 2b30 3230 300d 0a54 5a4f 4646  ROM:+0200..TZOFF
>> 00003f0: 5345 5454 4f3a 2b30 3130 300d 0a52 5255  SETTO:+0100..RRU
>> 0000400: 4c45 3a46 5245 513d 5945 4152 4c59 3b57  LE:FREQ=YEARLY;W
>> 0000410: 4b53 543d 4d4f 3b49 4e54 4552 5641 4c3d  KST=MO;INTERVAL=
>> 0000420: 313b 4259 4d4f 4e54 483d 3130 3b42 5944  1;BYMONTH=10;BYD
>> 0000430: 4159 3d2d 3153 550d 0a45 4e44 3a53 5441  AY=-1SU..END:STA
>> 0000440: 4e44 4152 440d 0a42 4547 494e 3a44 4159  NDARD..BEGIN:DAY
>> 0000450: 4c49 4748 540d 0a44 5453 5441 5254 3a31  LIGHT..DTSTART:1
>> 0000460: 3630 3130 3130 3154 3032 3030 3030 0d0a  6010101T020000..
>> 0000470: 545a 4f46 4653 4554 4652 4f4d 3a2b 3031  TZOFFSETFROM:+01
>> 0000480: 3030 0d0a 545a 4f46 4653 4554 544f 3a2b  00..TZOFFSETTO:+
>> 0000490: 3032 3030 0d0a 5252 554c 453a 4652 4551  0200..RRULE:FREQ
>> 00004a0: 3d59 4541 524c 593b 574b 5354 3d4d 4f3b  =YEARLY;WKST=MO;
>> 00004b0: 494e 5445 5256 414c 3d31 3b42 594d 4f4e  INTERVAL=1;BYMON
>> 00004c0: 5448 3d33 3b42 5944 4159 3d2d 3153 550d  TH=3;BYDAY=-1SU.
>> 00004d0: 0a45 4e44 3a44 4159 4c49 4748 540d 0a45  .END:DAYLIGHT..E
>> 00004e0: 4e44 3a56 5449 4d45 5a4f 4e45 0d0a 4245  ND:VTIMEZONE..BE
>> 00004f0: 4749 4e3a 5645 5645 4e54 0d0a 4454 5354  GIN:VEVENT..DTST
>> 0000500: 414d 503a 3230 3037 3035 3330 5430 3832  AMP:20070530T082
>> 0000510: 3230 335a 0d0a 4454 5354 4152 543b 545a  203Z..DTSTART;TZ
>> 0000520: 4944 3d22 5361 7261 6a65 766f 2c20 536b  ID="Sarajevo, Sk
>> 0000530: 6f70 6a65 2c20 536f 6669 6a61 2c20 5669  opje, Sofija, Vi
>> 0000540: 6c6e 6975 732c 2057 6172 7361 772c 205a  lnius, Warsaw, Z
>> 0000550: 6167 7265 6222 3a32 0d0a                 agreb":2..
>>
>>  Contact email
>>    petrus at ...2312...
>>
>>  Some text that clearly explains why you think this is a false positive
>> case
>>    The rule intercepted traffic between two nodes of MS Exchange of the
>> organization
>>
>> -- 
>>                                        Federico Petronio
>>                                        petrus at ...2312...
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
> 
> 

-- 
                                        Federico Petronio
                                        petrus at ...2312...



------------------------------

Message: 4
Date: Thu, 07 Jun 2007 13:11:53 -0300
From: Federico Petronio <petrus at ...2312...>
Subject: Re: [Snort-sigs] False positive on rule 10995
To: rmkml <rmkml at ...324...>
Cc: Snort Signatures List <snort-sigs at lists.sourceforge.net>
Message-ID: <46682E49.5060101 at ...2312...>
Content-Type: text/plain; charset=ISO-8859-1

This is the rule:

drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP possible BDAT
DoS attempt"; flow:to_server,established; content:"BDAT"; nocase;
byte_jump:2,1,relative,string,dec; content:!"|0D 0A|"; within:2;
reference:bugtraq,4204; reference:cve,2002-0055;
reference:url,www.microsoft.com/technet/security/bulletin/ms02-012.mspx;
classtype:denial-of-service; sid:10995; rev:1;)

Regards,

rmkml wrote:
> Hi Federico,
> please send rule sid 10995.
> Regards
> Rmkml
> 
> 
> On Thu, 7 Jun 2007, Federico Petronio wrote:
> 
>> Date: Thu, 07 Jun 2007 11:30:17 -0300
>> From: Federico Petronio <petrus at ...2312...>
>> To: Snort Signatures List <snort-sigs at lists.sourceforge.net>
>> Subject: [Snort-sigs] False positive on rule 10995
>>
>> Hello,
>>
>> I would like to report this false positive on rule 10995.
>>
>>  Version of Snort
>>    snort_inline 2.3.0
>>
>>  Rule SID and revision
>>    10995. rev 1.
>>
>>  Command line options when starting snort
>>    snort -c snort.conf.inline -Q -A none -q
>>
>>  The operating system being used
>>    Debian Linux 3.1
>>
>>  A supporting packet capture that illustrates the false positive case:
>>
>> length = 1368
>> 000 : 5A 63 2F 37 62 48 62 48 67 47 70 4E 6E 6A 58 54   Zc/7bHbHgGpNnjXT
>> 010 : 53 72 4D 67 47 59 64 76 37 4E 50 55 46 4E 66 6D   SrMgGYdv7NPUFNfm
>> 020 : 61 52 4C 67 53 67 41 55 42 54 48 38 50 68 66 67   aRLgSgAUBTH8Phfg
>> 030 : 6C 2B 55 46 53 42 2B 67 0D 0A 4E 5A 6A 65 6D 5A   l+UFSB+g..NZjemZ
>> 040 : 51 38 4C 57 67 59 77 41 47 48 69 44 52 4C 4B 41   Q8LWgYwAGHiDRLKA
>> 050 : 70 4D 39 73 51 51 41 44 34 41 52 47 77 6A 61 52   pM9sQQAD4ARGwjaR
>> 060 : 4A 39 56 46 6F 48 30 6D 4A 74 2B 71 45 6F 39 62   J9VFoH0mJt+qEo9b
>> 070 : 55 41 38 59 41 39 42 6F 32 73 76 4D 7A 4D 78 4D   UA8YA9Bo2svMzMxM
>> 080 : 4A 30 44 42 52 73 0D 0A 54 77 41 47 43 55 41 43   J0DBRs..TwAGCUAC
>> 090 : 72 64 5A 37 75 47 33 43 30 42 44 41 54 6C 30 55   rdZ7uG3C0BDATl0U
>> 0a0 : 71 42 37 61 56 35 45 35 41 45 52 71 5A 52 42 2B   qB7aV5E5AERqZRB+
>> 0b0 : 49 71 31 43 6B 6F 45 51 39 4E 45 51 7A 4D 41 51   Iq1CkoEQ9NEQzMAQ
>> 0c0 : 42 53 70 62 69 4A 70 6E 37 73 4C 51 51 41 38 45   BSpbiJpn7sLQQA8E
>> 0d0 : 7A 76 49 4A 0D 0A 51 51 42 45 65 6E 41 50 4B 51   zvIJ..QQBEenAPKQ
>> 0e0 : 51 52 4C 78 51 43 42 49 34 4B 70 6E 65 4A 31 61   QRLxQCBI4KpneJ1a
>> 0f0 : 4B 30 49 51 34 79 63 79 49 35 78 76 46 43 30 42   K0IQ4ycyI5xvFC0B
>> 100 : 53 6F 48 2F 72 42 70 55 59 41 52 43 54 6F 6A 77   SoH/rBpUYARCTojw
>> 110 : 46 2B 35 49 44 79 4A 31 77 54 4C 78 51 42 41 41   F+5IDyJ1wTLxQBAA
>> 120 : 61 45 0D 0A 41 55 34 7A 61 38 58 79 64 41 77 2B   aE..AU4za8XydAw+
>> 130 : 55 41 2F 77 75 79 4D 4A 51 41 69 35 4A 52 73 67   UA/wuyMJQAi5JRsg
>> 140 : 73 51 4A 63 4D 67 52 35 56 4B 67 66 30 4B 46 52   sQJcMgR5VKgf0KFR
>> 150 : 70 68 4A 2F 4A 44 6F 6B 41 51 75 41 43 65 36 61   phJ/JDokAQuACe6a
>> 160 : 79 6E 73 53 64 41 77 70 44 41 6E 68 74 55 51 53   ynsSdAwpDAnhtUQS
>> 170 : 0D 0A 41 7A 67 65 6B 73 4D 45 4C 6D 52 46 5A 68   ..AzgeksMELmRFZh
>> 180 : 4A 50 64 36 45 32 66 79 6D 6F 46 54 42 49 41 67   JPd6E2fymoFTBIAg
>> 190 : 4D 44 5A 59 5A 4D 61 32 4B 77 4E 67 51 67 62 61   MDZYZMa2KwNgQgba
>> 1a0 : 64 4D 48 75 36 43 55 7A 62 4F 73 37 65 68 7A 49   dMHu6CUzbOs7ehzI
>> 1b0 : 42 59 70 77 76 33 34 42 78 6E 76 73 4E 61 0D 0A   BYpwv34BxnvsNa..
>> 1c0 : 41 5A 72 37 76 6C 6E 4D 6F 6C 43 7A 41 74 37 55   AZr7vlnMolCzAt7U
>> 1d0 : 36 4C 50 71 52 72 39 42 6E 36 48 4D 67 46 70 78   6LPqRr9Bn6HMgFpx
>> 1e0 : 32 75 64 35 43 67 4A 63 76 76 67 4C 6E 72 34 36   2ud5CgJcvvgLnr46
>> 1f0 : 43 42 63 35 6A 49 43 49 58 67 41 54 5A 79 54 38   CBc5jICIXgATZyT8
>> 200 : 49 64 6A 46 6B 62 62 48 68 6F 74 61 0D 0A 42 47   IdjFkbbHhota..BG
>> 210 : 4F 33 30 50 49 49 35 75 72 4B 59 38 6F 49 72 72   O30PII5urKY8oIrr
>> 220 : 4B 41 75 6A 61 59 38 75 70 4D 2B 76 76 49 57 69   KAujaY8upM+vvIWi
>> 230 : 65 42 4B 34 41 6C 69 42 5A 56 44 64 4B 49 75 67   eBK4AliBZVDdKIug
>> 240 : 59 41 55 57 6B 78 35 51 52 58 57 55 41 6B 35 43   YAUWkx5QRXWUAk5C
>> 250 : 6B 4A 71 30 50 39 53 5A 39 63 0D 0A 4F 7A 77 72   kJq0P9SZ9c..Ozwr
>> 260 : 41 45 54 47 5A 76 4F 42 4A 43 4A 77 45 59 41 6E   AETGZvOBJCJwEYAn
>> 270 : 42 41 54 4E 71 61 45 61 72 58 75 4B 4A 34 42 6F   BATNqaEarXuKJ4Bo
>> 280 : 64 2F 4A 72 48 71 59 58 4C 53 69 42 69 45 35 59   d/JrHqYXLSiBiE5Y
>> 290 : 47 41 41 50 33 4F 41 32 32 58 74 47 73 31 6F 41   GAAP3OA22XtGs1oA
>> 2a0 : 49 6D 76 2B 2F 6F 72 41 0D 0A 73 6F 46 69 4A 72   Imv+/orA..soFiJr
>> 2b0 : 6A 53 73 61 56 71 54 50 72 70 42 42 41 78 41 45   jSsaVqTPrpBBAxAE
>> 2c0 : 48 4E 49 2B 6E 66 67 52 49 34 46 77 41 4E 30 34   HNI+nfgRI4FwAN04
>> 2d0 : 6C 73 57 43 42 58 50 61 30 41 58 4F 78 44 6E 4A   lsWCBXPa0AXOxDnJ
>> 2e0 : 74 64 57 55 43 77 6F 6E 51 55 79 30 4F 50 38 50   tdWUCwonQUy0OP8P
>> 2f0 : 36 53 47 41 6E 50 0D 0A 4B 69 4D 33 45 6A 74 2B   6SGAnP..KiM3Ejt+
>> 300 : 76 37 41 4E 49 73 41 51 41 41 66 53 69 64 4F 30   v7ANIsAQAAfSidO0
>> 310 : 78 69 73 56 72 51 44 77 65 4E 64 32 42 64 78 5A   xisVrQDweNd2BdxZ
>> 320 : 51 4C 4C 76 35 41 63 4F 67 4B 2F 6F 30 67 30 49   QLLv5AcOgK/o0g0I
>> 330 : 43 4B 45 4E 67 6C 67 79 41 41 66 53 63 41 4D 71   CKENglgyAAfScAMq
>> 340 : 67 39 38 68 0D 0A 72 51 43 49 44 61 47 73 61 4A   g98h..rQCIDaGsaJ
>> 350 : 78 5A 51 4C 44 76 4C 67 33 71 34 68 2F 73 30 67   xZQLDvLg3q4h/s0g
>> 360 : 32 56 7A 79 65 64 46 49 49 69 35 4B 45 41 42 6A   2VzyedFIIi5KEABj
>> 370 : 70 73 6F 79 2B 4C 45 61 30 41 4B 75 53 34 32 50   psoy+LEa0AKuS42P
>> 380 : 73 62 57 6B 43 77 4F 30 36 6F 56 48 6F 33 34 43   sbWkCwO06oVHo34C
>> 390 : 57 63 0D 0A 46 41 51 39 68 5A 55 33 41 45 54 65   Wc..FAQ9hZU3AETe
>> 3a0 : 62 6B 75 43 70 4D 53 68 41 42 50 66 63 42 33 78   bkuCpMShABPfcB3x
>> 3b0 : 78 76 59 4C 57 67 56 42 6A 33 77 61 67 35 46 74   xvYLWgVBj3wag5Ft
>> 3c0 : 53 42 47 4B 62 42 69 30 67 4F 74 53 42 47 4C 6F   SBGKbBi0gOtSBGLo
>> 3d0 : 59 43 63 38 71 6C 51 50 37 5A 46 31 72 55 36 43   YCc8qlQP7ZF1rU6C
>> 3e0 : 0D 0A 69 47 63 47 5A 75 54 38 49 64 76 77 79 63   ..iGcGZuT8Idvwyc
>> 3f0 : 6F 57 5A 41 34 48 6A 6A 79 4C 4B 36 4B 74 78 43   oWZA4HjjyLK6KtxC
>> 400 : 55 35 74 45 51 4F 41 32 70 55 44 2B 52 50 32 36   U5tEQOA2pUD+RP26
>> 410 : 71 42 67 79 55 6F 6C 42 77 43 32 48 4A 43 6F 59   qBgyUolBwC2HJCoY
>> 420 : 5A 6B 44 41 41 46 6A 32 33 6F 63 59 47 73 0D 0A   ZkDAAFj23ocYGs..
>> 430 : 50 6A 72 6D 2F 42 71 30 67 4E 73 50 6A 72 6E 71   Pjrm/Bq0gNsPjrnq
>> 440 : 56 41 2F 6E 44 39 47 70 4E 49 4D 69 54 45 38 43   VA/nD9GpNIMiTE8C
>> 450 : 61 62 72 49 6E 66 74 49 51 51 30 59 77 74 70 44   abrInftIQQ0YwtpD
>> 460 : 67 31 74 61 51 4C 50 38 69 67 42 4F 62 47 50 59   g1taQLP8igBObGPY
>> 470 : 69 6A 51 2F 33 42 41 42 57 41 67 41 0D 0A 43 34   ijQ/3BABWAgA..C4
>> 480 : 4F 6C 64 43 48 53 73 4B 48 75 4D 36 64 42 72 51   OldCHSsKHuM6dBrQ
>> 490 : 42 59 47 49 52 56 4D 5A 6C 61 51 4C 46 6C 7A 56   BYGIRVMZlaQLFlzV
>> 4a0 : 52 45 59 70 50 4D 6E 41 73 44 35 78 46 48 41 45   REYpPMnAsD5xFHAE
>> 4b0 : 42 44 49 36 55 69 67 79 49 6F 4D 41 41 4F 6C 64   BDI6UigyIoMAAOld
>> 4c0 : 59 74 76 33 6B 77 56 73 51 46 0D 0A 59 37 4F 6F   Ytv3kwVsQF..Y7Oo
>> 4d0 : 47 50 68 56 6C 41 74 30 52 67 71 74 74 48 44 5A   GPhVlAt0RgqttHDZ
>> 4e0 : 58 4D 74 4F 46 4C 42 34 44 38 41 6A 57 52 51 77   XMtOFLB4D8AjWRQw
>> 4f0 : 6A 41 45 4E 4F 67 2F 51 52 77 50 54 45 6C 51 4A   jAENOg/QRwPTElQJ
>> 500 : 53 48 54 6C 52 59 64 64 66 79 64 38 45 67 41 69   SHTlRYddfyd8EgAi
>> 510 : 68 53 56 32 49 64 47 61 0D 0A 62 66 71 68 4B 6C   hSV2IdGa..bfqhKl
>> 520 : 57 78 41 4D 71 72 43 37 62 2B 4C 31 74 41 67 50   WxAMqrC7b+L1tAgP
>> 530 : 75 51 74 73 6F 79 67 6A 51 4D 34 75 61 55 35 63   uQtsoygjQM4uaU5c
>> 540 : 6A 4D 45 45 41 30 69 45 7A 66 33 7A 5A 45 6B 42   jMEEA0iEzf3zZEkB
>> 550 : 53 5A 38 6F 42 32 66 53                           SZ8oB2fS
>>
>>  Contact email
>>    petrus at ...2312...
>>
>>  Some text that clearly explains why you think this is a false positive
>> case
>>    The rule intercepted trusted traffic between two Windows servers of
>> the organization
>>
>> -- 
>>                                        Federico Petronio
>>                                        petrus at ...2312...
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
> 
> 

-- 
                                        Federico Petronio
                                        petrus at ...2312...



------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest, Vol 13, Issue 4
*****************************************




More information about the Snort-sigs mailing list