[Snort-sigs] GID3 SID16408 False Positives

Joel Esler jesler at ...435...
Tue Feb 9 17:46:48 EST 2010


Best way to troubleshoot these is to provide VRT with a pcap of the  
traffic so they can troubleshoot the rule.

Joel Esler
Sent from my iPhone

On Feb 9, 2010, at 5:25 PM, "evilghost at ...3397..." <evilghost at ...3397... 
 > wrote:

> I am seeing this false heavily against TCP sport 80/sport 443 sourced
> from known trusted Internet hosts such as Thompson Reuters.  What
> information can I provide to the VRT team to better reduce this false
> positive since I have no visibility into this GID3 signature.  The
> stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which
> really expands the scope of this signature and it's false positive
> potential.
> Are others also seeing this?  Even more odd is I do not see this
> signature announced in the VRT update.  Change log is blank due to  
> these
> being GID 3 so I'm going on information in the announcement email  
> which
> doesn't seem to cover this.  The announcement email shows 16405 for
> MS10-009 yet the stub rule shows 16408, if I understand it correctly.
> Also please note this is IPv4 traffic, established, not IPv6.
> Any insight, comments, etc is appreciated.  Troubleshooting this is
> difficult due to the lack of information and what appears to be
> inconsistent/inaccurate information in the announcement email.
> Thanks in advance,
> -evilghost
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as  
> DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list