[Snort-sigs] GID3 SID16408 False Positives

evilghost at ...3397... evilghost at ...3397...
Tue Feb 9 17:53:12 EST 2010


Thanks Joel, I neglected to include research@{SF FQDN} and have done 
so.  I cannot include a PCAP due to confidentiality of payload.  I was 
hoping perhaps pointing out that this is IPv4 data, not IPv6, may be 
useful in reducing the false positives if I'm even looking in the right 
place (SID confusion/inaccuracy in the announcement email?).

To me, it seems that MS10-009 is isolated to specially crafted ICMP IPv6 
packets, not IPv4.  Could this GID3 rule be updated to look at IPv6 
header (not IPv4) or more specifically IPv6 ICMP?

-evilghost

Joel Esler wrote:
> Evilghost--
>
> Best way to troubleshoot these is to provide VRT with a pcap of the 
> traffic so they can troubleshoot the rule.
>
> -- 
> Joel Esler
> 302-223-5974
> Sent from my iPhone
>
> On Feb 9, 2010, at 5:25 PM, "evilghost at ...3397..." 
> <evilghost at ...3397...> wrote:
>
>> I am seeing this false heavily against TCP sport 80/sport 443 sourced
>> from known trusted Internet hosts such as Thompson Reuters.  What
>> information can I provide to the VRT team to better reduce this false
>> positive since I have no visibility into this GID3 signature.  The
>> stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which
>> really expands the scope of this signature and it's false positive
>> potential.
>>
>> Are others also seeing this?  Even more odd is I do not see this
>> signature announced in the VRT update.  Change log is blank due to these
>> being GID 3 so I'm going on information in the announcement email which
>> doesn't seem to cover this.  The announcement email shows 16405 for
>> MS10-009 yet the stub rule shows 16408, if I understand it correctly.
>> Also please note this is IPv4 traffic, established, not IPv6.
>>
>> Any insight, comments, etc is appreciated.  Troubleshooting this is
>> difficult due to the lack of information and what appears to be
>> inconsistent/inaccurate information in the announcement email.
>>
>> Thanks in advance,
>> -evilghost
>>
>> ------------------------------------------------------------------------------ 
>>
>> SOLARIS 10 is the OS for Data Centers - provides features such as 
>> DTrace,
>> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>> http://p.sf.net/sfu/solaris-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list