[Snort-sigs] FP for 100000892

Thierry CHICH thierry.chich at ...2579...
Tue Mar 27 02:56:31 EDT 2007


This sig is generatong a lot of false positives: 
the problem is that a flow from $HOME_NET with the source port 1720 can 
correspond to the sig :

alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 
Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|
08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; 
reference:url,www.ethereal.com/news/item_20050504_01.html; 
reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;)

I suggest to change this rule as:
 
alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 
Invalid Call Reference Length Buffer Overflow";flow:to_server,established; 
content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; 
reference:url,www.ethereal.com/news/item_20050504_01.html; 
reference:url,www.elook.org/internet/126.html; sid:100000892; rev:2;)




More information about the Snort-sigs mailing list