[Snort-sigs] false positive FYI

Daniel Schreiber scrober at outlook.de
Thu Jan 4 09:10:05 EST 2018


Hello Mr.Lewis,

I have the Paket capture know but i thing it is some thing like an Man-in-the-Middle. There is a lot of retransmisson caused by changing the checksum.
I´m not that good with paketcaptureing at all so i don´t know how to white all my data out.

Greeting

________________________________
Von: Daniel Schreiber <scrober at outlook.de>
Gesendet: Donnerstag, 4. Januar 2018 14:50
An: Al Lewis (allewi)
Betreff: AW: AW: [Snort-sigs] false positive FYI

Hello,

so i have managed to capture the snort log maybe it will help you a little bit i have also the Paket capture but im trying to sort it a little bit out for you.

Greetings
________________________________
Von: Daniel Schreiber <scrober at outlook.de>
Gesendet: Mittwoch, 3. Januar 2018 14:34
An: Al Lewis (allewi)
Betreff: AW: AW: [Snort-sigs] false positive FYI

Oh okay, so i will do some testing and do the normal things that causes this alert maybe i can capture one of the malicious Paket.

Greetings
________________________________
Von: Al Lewis (allewi) <allewi at cisco.com>
Gesendet: Mittwoch, 3. Januar 2018 14:23
An: Daniel Schreiber
Betreff: Re: AW: [Snort-sigs] false positive FYI

Hello,

Yes.. I was looking for a sample of the traffic. You wont be able to tell if this is a false positive without examining the traffic and/or some of the code (its a preprocessing rule).




Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Daniel Schreiber <scrober at outlook.de<mailto:scrober at outlook.de>>
Date: Wednesday, January 3, 2018 at 8:18 AM
To: allewi <allewi at cisco.com<mailto:allewi at cisco.com>>
Subject: AW: [Snort-sigs] false positive FYI

Hello,
Sorry for my late reply do you mean a paket capture or what else?

  I can tell you the remote IP adresses an because if i run a capture there is no blocking by snort not even an alert.

Again Sorry for my late reply.


________________________________
Von: Al Lewis (allewi) <allewi at cisco.com<mailto:allewi at cisco.com>>
Gesendet: Donnerstag, 7. Dezember 2017 20:59
An: Daniel Schreiber; snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>
Betreff: Re: [Snort-sigs] false positive FYI

Hello,

Can you send a sample of the traffic?

Thanks.


Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

SOURCEfire, Inc. now part of Cisco

Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-sigs <snort-sigs-bounces at lists.snort.org<mailto:snort-sigs-bounces at lists.snort.org>> on behalf of Daniel Schreiber <scrober at outlook.de<mailto:scrober at outlook.de>>
Date: Thursday, December 7, 2017 at 2:45 PM
To: "snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>" <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Subject: [Snort-sigs] false positive FYI

Hello,

these Rule here:
119:33 (http_inspect) UNESCAPED SPACE IN HTTP URI

Cause some false positve on my setup.

it blocks Apple Facetime server IPs and steam akamaitechnologies IPs that seems to reffer to the Steam Network.

Greetings



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180104/5941b5bc/attachment-0001.html>


More information about the Snort-sigs mailing list