[Snort-sigs] GID3 SID16408 False Positives

evilghost at ...3397... evilghost at ...3397...
Tue Feb 9 17:25:17 EST 2010

I am seeing this false heavily against TCP sport 80/sport 443 sourced 
from known trusted Internet hosts such as Thompson Reuters.  What 
information can I provide to the VRT team to better reduce this false 
positive since I have no visibility into this GID3 signature.  The 
stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which 
really expands the scope of this signature and it's false positive 

Are others also seeing this?  Even more odd is I do not see this 
signature announced in the VRT update.  Change log is blank due to these 
being GID 3 so I'm going on information in the announcement email which 
doesn't seem to cover this.  The announcement email shows 16405 for 
MS10-009 yet the stub rule shows 16408, if I understand it correctly.  
Also please note this is IPv4 traffic, established, not IPv6.

Any insight, comments, etc is appreciated.  Troubleshooting this is 
difficult due to the lack of information and what appears to be 
inconsistent/inaccurate information in the announcement email.

Thanks in advance,

More information about the Snort-sigs mailing list