[Snort-sigs] GID3 SID16408 False Positives

Joel Esler jesler at ...435...
Tue Feb 9 18:14:31 EST 2010


Okay, well regarding the pcap situation, you can discuss that with the VRT directly.  I'll defer to them.

J

On Feb 9, 2010, at 5:53 PM, evilghost at ...3397... wrote:

> Thanks Joel, I neglected to include research@{SF FQDN} and have done 
> so.  I cannot include a PCAP due to confidentiality of payload.  I was 
> hoping perhaps pointing out that this is IPv4 data, not IPv6, may be 
> useful in reducing the false positives if I'm even looking in the right 
> place (SID confusion/inaccuracy in the announcement email?).
> 
> To me, it seems that MS10-009 is isolated to specially crafted ICMP IPv6 
> packets, not IPv4.  Could this GID3 rule be updated to look at IPv6 
> header (not IPv4) or more specifically IPv6 ICMP?
> 
> -evilghost
> 
> Joel Esler wrote:
>> Evilghost--
>> 
>> Best way to troubleshoot these is to provide VRT with a pcap of the 
>> traffic so they can troubleshoot the rule.
>> 
>> -- 
>> Joel Esler
>> 302-223-5974
>> Sent from my iPhone
>> 
>> On Feb 9, 2010, at 5:25 PM, "evilghost at ...3397..." 
>> <evilghost at ...3397...> wrote:
>> 
>>> I am seeing this false heavily against TCP sport 80/sport 443 sourced
>>> from known trusted Internet hosts such as Thompson Reuters.  What
>>> information can I provide to the VRT team to better reduce this false
>>> positive since I have no visibility into this GID3 signature.  The
>>> stub-rule appears to be "$EXTERNAL_NET any -> $HOME_NET any" which
>>> really expands the scope of this signature and it's false positive
>>> potential.
>>> 
>>> Are others also seeing this?  Even more odd is I do not see this
>>> signature announced in the VRT update.  Change log is blank due to these
>>> being GID 3 so I'm going on information in the announcement email which
>>> doesn't seem to cover this.  The announcement email shows 16405 for
>>> MS10-009 yet the stub rule shows 16408, if I understand it correctly.
>>> Also please note this is IPv4 traffic, established, not IPv6.
>>> 
>>> Any insight, comments, etc is appreciated.  Troubleshooting this is
>>> difficult due to the lack of information and what appears to be
>>> inconsistent/inaccurate information in the announcement email.
>>> 
>>> Thanks in advance,
>>> -evilghost
>>> 
>>> ------------------------------------------------------------------------------ 
>>> 
>>> SOLARIS 10 is the OS for Data Centers - provides features such as 
>>> DTrace,
>>> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>>> http://p.sf.net/sfu/solaris-dev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

--
Joel Esler
302-223-5974









More information about the Snort-sigs mailing list