[Snort-sigs] False positive on rule 10012

Alex Kirk alex.kirk at ...435...
Thu Jun 7 15:30:30 EDT 2007


Federico,

Based on this packet data, you shouldn't be getting an alert at all. 
There's only one place where the first content -- "DTSTART|3B|" -- is 
present, and it is immediately followed by "TZID", which should make the 
final content clause in the rule fail, thus preventing it from firing. 
Further, I've run some tests over here with Snort 2.6.1.4, and 
equivalent content does not trigger the rule.

Could you please send your Snort.conf, and any PCAPs if you have them?

Also, please note that rmkml's suggestion would not be helpful here, as 
the additional criterion he inserted -- 'pcre:"/^DTSTART/mi";' -- are 
satisfied in this packet, so the rule would still fire.

Alex Kirk
Research Analyst
Sourcefire, Inc.
> Hello,
>
> I would like to report this false positive on rule 10012.
>
>   Version of Snort
>     snort_inline 2.3.0
>
>   Rule SID and revision
>     10012. rev 1.
>
>   Command line options when starting snort
>     snort -c snort.conf.inline -Q -A none -q
>
>   The operating system being used
>     Debian Linux 3.1
>
>   A supporting packet capture that illustrates the false positive case:
>
> 0000000: 4163 6569 6b35 6f35 566f 3468 4350 314e  Aceik5o5Vo4hCP1N
> 0000010: 5431 7552 4742 344b 5359 4768 4d51 4141  T1uRGB4KSYGhMQAA
> 0000020: 4141 3067 4141 4146 7545 4141 4147 4e4f  AA0gAAAFuEAAAGNO
> 0000030: 4141 3d3d 0d0a 4672 6f6d 3a20 2278 7878  AA==..From: "xxx
> 0000040: 7878 7878 7878 7878 7822 203c 7878 7878  xxxxxxxxx" <xxxx
> 0000050: 7878 7878 7878 7840 7878 7878 7878 3e0d  xxxxxxx at ...3295...>.
> 0000060: 0a54 6f3a 2022 7878 7878 7878 7878 7878  .To: "xxxxxxxxxx
> 0000070: 7878 7878 7878 7878 7822 203c 7878 7878  xxxxxxxxx" <xxxx
> 0000080: 7878 7840 7878 7878 7878 7878 783e 0d0a  xxx at ...3296...>..
> 0000090: 0d0a 5468 6973 2069 7320 6120 6d75 6c74  ..This is a mult
> 00000a0: 692d 7061 7274 206d 6573 7361 6765 2069  i-part message i
> 00000b0: 6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a  n MIME format...
> 00000c0: 0d0a 2d2d 2d2d 2d2d 5f3d 5f4e 6578 7450  ..------_=_NextP
> 00000d0: 6172 745f 3030 315f 3031 4337 4132 3935  art_001_01C7A295
> 00000e0: 2e33 4538 4341 3942 430d 0a43 6f6e 7465  .3E8CA9BC..Conte
> 00000f0: 6e74 2d54 7970 653a 2074 6578 742f 706c  nt-Type: text/pl
> 0000100: 6169 6e3b 0d0a 0963 6861 7273 6574 3d22  ain;...charset="
> 0000110: 6973 6f2d 3838 3539 2d31 220d 0a43 6f6e  iso-8859-1"..Con
> 0000120: 7465 6e74 2d54 7261 6e73 6665 722d 456e  tent-Transfer-En
> 0000130: 636f 6469 6e67 3a20 7175 6f74 6564 2d70  coding: quoted-p
> 0000140: 7269 6e74 6162 6c65 0d0a 0d0a 0d0a 2d2d  rintable......--
> 0000150: 2d2d 2d2d 5f3d 5f4e 6578 7450 6172 745f  ----_=_NextPart_
> 0000160: 3030 315f 3031 4337 4132 3935 2e33 4538  001_01C7A295.3E8
> 0000170: 4341 3942 430d 0a43 6f6e 7465 6e74 2d54  CA9BC..Content-T
> 0000180: 7970 653a 2074 6578 742f 6874 6d6c 3b0d  ype: text/html;.
> 0000190: 0a09 6368 6172 7365 743d 2269 736f 2d38  ..charset="iso-8
> 00001a0: 3835 392d 3122 0d0a 436f 6e74 656e 742d  859-1"..Content-
> 00001b0: 5472 616e 7366 6572 2d45 6e63 6f64 696e  Transfer-Encodin
> 00001c0: 673a 2071 756f 7465 642d 7072 696e 7461  g: quoted-printa
> 00001d0: 626c 650d 0a0d 0a3c 4d45 5441 2048 5454  ble....<META HTT
> 00001e0: 502d 4551 5549 563d 3344 2243 6f6e 7465  P-EQUIV=3D"Conte
> 00001f0: 6e74 2d54 7970 6522 2043 4f4e 5445 4e54  nt-Type" CONTENT
> 0000200: 3d33 4422 7465 7874 2f68 746d 6c3b 203d  =3D"text/html; =
> 0000210: 0d0a 6368 6172 7365 743d 3344 6973 6f2d  ..charset=3Diso-
> 0000220: 3838 3539 2d31 223e 0d0a 0d0a 2d2d 2d2d  8859-1">....----
> 0000230: 2d2d 5f3d 5f4e 6578 7450 6172 745f 3030  --_=_NextPart_00
> 0000240: 315f 3031 4337 4132 3935 2e33 4538 4341  1_01C7A295.3E8CA
> 0000250: 3942 430d 0a63 6f6e 7465 6e74 2d63 6c61  9BC..content-cla
> 0000260: 7373 3a20 7572 6e3a 636f 6e74 656e 742d  ss: urn:content-
> 0000270: 636c 6173 7365 733a 6361 6c65 6e64 6172  classes:calendar
> 0000280: 6d65 7373 6167 650d 0a43 6f6e 7465 6e74  message..Content
> 0000290: 2d54 7970 653a 2074 6578 742f 6361 6c65  -Type: text/cale
> 00002a0: 6e64 6172 3b0d 0a09 6d65 7468 6f64 3d52  ndar;...method=R
> 00002b0: 4550 4c59 3b0d 0a09 6e61 6d65 3d22 6d65  EPLY;...name="me
> 00002c0: 6574 696e 672e 6963 7322 0d0a 436f 6e74  eting.ics"..Cont
> 00002d0: 656e 742d 5472 616e 7366 6572 2d45 6e63  ent-Transfer-Enc
> 00002e0: 6f64 696e 673a 2038 6269 740d 0a0d 0a42  oding: 8bit....B
> 00002f0: 4547 494e 3a56 4341 4c45 4e44 4152 0d0a  EGIN:VCALENDAR..
> 0000300: 4d45 5448 4f44 3a52 4550 4c59 0d0a 5052  METHOD:REPLY..PR
> 0000310: 4f44 4944 3a4d 6963 726f 736f 6674 2043  ODID:Microsoft C
> 0000320: 444f 2066 6f72 204d 6963 726f 736f 6674  DO for Microsoft
> 0000330: 2045 7863 6861 6e67 650d 0a56 4552 5349   Exchange..VERSI
> 0000340: 4f4e 3a32 2e30 0d0a 4245 4749 4e3a 5654  ON:2.0..BEGIN:VT
> 0000350: 494d 455a 4f4e 450d 0a54 5a49 443a 5361  IMEZONE..TZID:Sa
> 0000360: 7261 6a65 766f 5c2c 2053 6b6f 706a 655c  rajevo\, Skopje\
> 0000370: 2c20 536f 6669 6a61 5c2c 2056 696c 6e69  , Sofija\, Vilni
> 0000380: 7573 5c2c 2057 6172 7361 775c 2c20 5a61  us\, Warsaw\, Za
> 0000390: 6772 6562 0d0a 582d 4d49 4352 4f53 4f46  greb..X-MICROSOF
> 00003a0: 542d 4344 4f2d 545a 4944 3a32 0d0a 4245  T-CDO-TZID:2..BE
> 00003b0: 4749 4e3a 5354 414e 4441 5244 0d0a 4454  GIN:STANDARD..DT
> 00003c0: 5354 4152 543a 3136 3031 3031 3031 5430  START:16010101T0
> 00003d0: 3330 3030 300d 0a54 5a4f 4646 5345 5446  30000..TZOFFSETF
> 00003e0: 524f 4d3a 2b30 3230 300d 0a54 5a4f 4646  ROM:+0200..TZOFF
> 00003f0: 5345 5454 4f3a 2b30 3130 300d 0a52 5255  SETTO:+0100..RRU
> 0000400: 4c45 3a46 5245 513d 5945 4152 4c59 3b57  LE:FREQ=YEARLY;W
> 0000410: 4b53 543d 4d4f 3b49 4e54 4552 5641 4c3d  KST=MO;INTERVAL=
> 0000420: 313b 4259 4d4f 4e54 483d 3130 3b42 5944  1;BYMONTH=10;BYD
> 0000430: 4159 3d2d 3153 550d 0a45 4e44 3a53 5441  AY=-1SU..END:STA
> 0000440: 4e44 4152 440d 0a42 4547 494e 3a44 4159  NDARD..BEGIN:DAY
> 0000450: 4c49 4748 540d 0a44 5453 5441 5254 3a31  LIGHT..DTSTART:1
> 0000460: 3630 3130 3130 3154 3032 3030 3030 0d0a  6010101T020000..
> 0000470: 545a 4f46 4653 4554 4652 4f4d 3a2b 3031  TZOFFSETFROM:+01
> 0000480: 3030 0d0a 545a 4f46 4653 4554 544f 3a2b  00..TZOFFSETTO:+
> 0000490: 3032 3030 0d0a 5252 554c 453a 4652 4551  0200..RRULE:FREQ
> 00004a0: 3d59 4541 524c 593b 574b 5354 3d4d 4f3b  =YEARLY;WKST=MO;
> 00004b0: 494e 5445 5256 414c 3d31 3b42 594d 4f4e  INTERVAL=1;BYMON
> 00004c0: 5448 3d33 3b42 5944 4159 3d2d 3153 550d  TH=3;BYDAY=-1SU.
> 00004d0: 0a45 4e44 3a44 4159 4c49 4748 540d 0a45  .END:DAYLIGHT..E
> 00004e0: 4e44 3a56 5449 4d45 5a4f 4e45 0d0a 4245  ND:VTIMEZONE..BE
> 00004f0: 4749 4e3a 5645 5645 4e54 0d0a 4454 5354  GIN:VEVENT..DTST
> 0000500: 414d 503a 3230 3037 3035 3330 5430 3832  AMP:20070530T082
> 0000510: 3230 335a 0d0a 4454 5354 4152 543b 545a  203Z..DTSTART;TZ
> 0000520: 4944 3d22 5361 7261 6a65 766f 2c20 536b  ID="Sarajevo, Sk
> 0000530: 6f70 6a65 2c20 536f 6669 6a61 2c20 5669  opje, Sofija, Vi
> 0000540: 6c6e 6975 732c 2057 6172 7361 772c 205a  lnius, Warsaw, Z
> 0000550: 6167 7265 6222 3a32 0d0a                 agreb":2..
>
>   Contact email
>     petrus at ...2312...
>
>   Some text that clearly explains why you think this is a false positive
> case
>     The rule intercepted traffic between two nodes of MS Exchange of the
> organization
>
>   





More information about the Snort-sigs mailing list