[Snort-sigs] little help with false positives?

Henri Reinikainen henri at ...3710...
Fri Jul 20 01:32:03 EDT 2012


Hi

Does someone has time to educate me? Because I don't get it.

spamd-setup is running in cron hourly. Fetching spammer ip lists from 
www.openbsd.org via http. Every time this fetch happens there's some 
alerts triggered.

# spamd-setup -d -b
Getting http://www.openbsd.org/spamd/traplist.gz
blacklist uatraps 51709 entries
Getting http://www.openbsd.org/spamd/nixspam.gz
blacklist nixspam 40000 entries

sensitive_data: sensitive data global threshold exceeded
sensitive_data: sensitive data - eMail addresses
http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I've checked connection with telnet and content of those lists. There 
is nothing even remotely like e-mail addresses (well one). Other problem 
with this is, that those list are downloaded to server, not uploaded. If 
I understand correctly this rule should only be working in one 
direction.
If I download these lists and decompress them by hand, there is no 
decompression errors.

ipvar HOME_NET [xxx.xxx.xxx.xxx/32]
ipvar EXTERNAL_NET !$HOME_NET

alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] 
(msg:"SENSITIVE-      DATA Email Addresses"; metadata:service http, 
service smtp, service ftp-data      , service imap, service pop3; 
sd_pattern:20,email; classtype:sdf; sid:5; gid      :138; rev:1;)




More information about the Snort-sigs mailing list