[Snort-sigs] GID3 SID16408 False Positives

evilghost at ...3397... evilghost at ...3397...
Tue Feb 9 17:59:53 EST 2010

I stand corrected regarding IPv6, this is the SACK issue, the false 
positives still persist though.  It's always hard to tell what the true 
issue is when Microsoft wraps about ~5 issues into a singular advisory.  
The sig to detect on CVE-2010-0242 appears to be the one I'm having 
issues with.


evilghost at ...3397... wrote:
> Thanks Joel, I neglected to include research@{SF FQDN} and have done 
> so.  I cannot include a PCAP due to confidentiality of payload.  I was 
> hoping perhaps pointing out that this is IPv4 data, not IPv6, may be 
> useful in reducing the false positives if I'm even looking in the 
> right place (SID confusion/inaccuracy in the announcement email?).
> To me, it seems that MS10-009 is isolated to specially crafted ICMP 
> IPv6 packets, not IPv4.  Could this GID3 rule be updated to look at 
> IPv6 header (not IPv4) or more specifically IPv6 ICMP?
> -evilghost
> Joel Esler wrote:
>> Evilghost--
>> Best way to troubleshoot these is to provide VRT with a pcap of the 
>> traffic so they can troubleshoot the rule.
>> -- 
>> Joel Esler
>> 302-223-5974
>> Sent from my iPhone
>> On Feb 9, 2010, at 5:25 PM, "evilghost at ...3397..." 
>> <evilghost at ...3397...> wrote:
>>> I am seeing this false heavily against TCP sport 80/sport 443 sourced
>>> from known trusted Internet hosts such as Thompson Reuters.  What
>>> information can I provide to the VRT team to better reduce this false
>>> positive since I have no visibility into this GID3 signature.  The
>>> stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which
>>> really expands the scope of this signature and it's false positive
>>> potential.
>>> Are others also seeing this?  Even more odd is I do not see this
>>> signature announced in the VRT update.  Change log is blank due to 
>>> these
>>> being GID 3 so I'm going on information in the announcement email which
>>> doesn't seem to cover this.  The announcement email shows 16405 for
>>> MS10-009 yet the stub rule shows 16408, if I understand it correctly.
>>> Also please note this is IPv4 traffic, established, not IPv6.
>>> Any insight, comments, etc is appreciated.  Troubleshooting this is
>>> difficult due to the lack of information and what appears to be
>>> inconsistent/inaccurate information in the announcement email.
>>> Thanks in advance,
>>> -evilghost
>>> ------------------------------------------------------------------------------ 
>>> SOLARIS 10 is the OS for Data Centers - provides features such as 
>>> DTrace,
>>> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>>> http://p.sf.net/sfu/solaris-dev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list