[Snort-sigs] GID3 SID16408 False Positives

evilghost at ...3397... evilghost at ...3397...
Tue Feb 9 17:53:12 EST 2010

Thanks Joel, I neglected to include research@{SF FQDN} and have done 
so.  I cannot include a PCAP due to confidentiality of payload.  I was 
hoping perhaps pointing out that this is IPv4 data, not IPv6, may be 
useful in reducing the false positives if I'm even looking in the right 
place (SID confusion/inaccuracy in the announcement email?).

To me, it seems that MS10-009 is isolated to specially crafted ICMP IPv6 
packets, not IPv4.  Could this GID3 rule be updated to look at IPv6 
header (not IPv4) or more specifically IPv6 ICMP?


Joel Esler wrote:
> Evilghost--
> Best way to troubleshoot these is to provide VRT with a pcap of the 
> traffic so they can troubleshoot the rule.
> -- 
> Joel Esler
> 302-223-5974
> Sent from my iPhone
> On Feb 9, 2010, at 5:25 PM, "evilghost at ...3397..." 
> <evilghost at ...3397...> wrote:
>> I am seeing this false heavily against TCP sport 80/sport 443 sourced
>> from known trusted Internet hosts such as Thompson Reuters.  What
>> information can I provide to the VRT team to better reduce this false
>> positive since I have no visibility into this GID3 signature.  The
>> stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which
>> really expands the scope of this signature and it's false positive
>> potential.
>> Are others also seeing this?  Even more odd is I do not see this
>> signature announced in the VRT update.  Change log is blank due to these
>> being GID 3 so I'm going on information in the announcement email which
>> doesn't seem to cover this.  The announcement email shows 16405 for
>> MS10-009 yet the stub rule shows 16408, if I understand it correctly.
>> Also please note this is IPv4 traffic, established, not IPv6.
>> Any insight, comments, etc is appreciated.  Troubleshooting this is
>> difficult due to the lack of information and what appears to be
>> inconsistent/inaccurate information in the announcement email.
>> Thanks in advance,
>> -evilghost
>> ------------------------------------------------------------------------------ 
>> SOLARIS 10 is the OS for Data Centers - provides features such as 
>> DTrace,
>> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>> http://p.sf.net/sfu/solaris-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list